Windows Server 2008 R2 and Windows 7: More Secure Together
Windows Server 2008 R2 and the Windows 7 client were made for each other - and made to provide better and more secure computing when used together. DirectAccess is a new feature that allows Windows 7 users to establish a remote connection without a VPN, and the Remote Workspace, along with Presentation Virtualization and Remote Desktop Gateway can allow users to access their company desktops from anywhere, safely and securely. In this article, we will look at these and other features that make the Server 2008 R2/Windows 7 combination the best bet for organizations looking to improve the security of their Windows-based networks.
With the emphasis at Microsoft on trustworthy computing, each edition of the server and client operating systems gets more secure. Windows Server 2008, and especially its latest incarnation, R2, provides IT administrators with many built-in security mechanisms. However, securing the server is only half the battle. The client machine is often targeted for exploit - especially in today's mobile world where users connect from laptops that leave the company premises and thus are not always under the absolute control of the IT department. If your organization needs a high level of security (and in the current compliance-mandated environment, who doesn't?), you should be planning ahead for the deployment of the Windows 7 client in combination with Windows Server 2008 R2 as soon after the Win 7 release as possible. Let's look at some of the advanced security features you'll be able to take advantage of by doing so.
Many organizations make it a policy to wait for the first service pack before rolling out a new client OS. Should you wait for SP1 before you deploy Windows 7? The Gartner Group says no. "The first Service Pack for Windows 7 is not necessary for the operating system's stability and security readiness."
How to allow remote users - whether traveling executives with laptops hooked to hotel networks or telecommuters working from home - to securely connect to the company network and access the resources they need without putting the network at risk. The most common solution has been to set up a VPN server. The VPN provides a secure, encrypted tunnel through the public network (the Internet). So what's the problem? The VPN solution presents a layer of complexity for the end user. In some cases, special software must be installed on the client machine. In any case, the user must establish the VPN connection for each session. They must type in credentials or deal with smart cards. Sometimes the connection doesn't go through; other times it gets dropped and must be re-established.
DirectAccess does away with most of the hassle by authenticating the user once and then making connection automatic - without sacrificing security. Two-factor authentication is supported so smart cards or biometrics can be used to log onto the network. DirectAccess can authenticate both the computer and the user. Two IPsec tunnels are created by DA: one using a computer certificate only, which gives the computer access to the DNS server and domain controller for downloading Group Policy and requesting user authentication, and a tunnel that users both a computer certificate and user certificate, which gives the user access to internal resources and application servers.
Direct Access sessions can either be encrypted between the client and the DA server/IPsec gateway server, or they can be encrypted end-to-end, all the way to the application server (such as the Exchange Server). The caveat here is that for end-to-end encryption, the application servers need to be running Windows Server 2008 or 2008 R2 and must be configured to use Ipv6 and Ipsec.
DirectAccess uses Ipv6, the next generation of the Internet Protocol with Ipsec (3DES, AES) to encrypt information that's sent across the Internet. But that does not mean you have to be running an Ipv6 network to use DA, because it also includes Ipv6/Ipv4 transition technologies. Windows 7 and Windows Server 2008 R2 support a new protocol called IP-HTTPS by which Ipv6 packets can be tunneled inside an Ipv4 HTTPS session. This makes it possible for computers that are behind a web proxy or firewall to connect. As with VPNs, Network Access Protection (NAP) can be used to ensure that computers have security updates, anti-virus, etc. before they can connect to the company network.
Another advantage of DirectAccess is that it gives you control. DA enables the IT administrator to manage remote systems even when they aren't connected to a VPN. You can apply new Group Policy or distribute software updates any time the remote computer is connected to the Internet - even if the user isn't logged on. This makes it easier to ensure that remote machines comply with company policies in the most timely manner. In addition, you can specify which intranet resources a specific user can access.
Microsoft has provided a DirectAccess Early Adopter's Guide that can be downloaded.
RemoteApp and Desktop
RemoteApp is an implementation of Remote Desktop Services by which applications appear to users to be running on their local computers when they are actually running on a Remote Desktop server. This is a form of presentation virtualization. It differs from the traditional terminal services experience in that instead of sharing the entire user desktop through a terminal server, now individual applications can be shared that way, and it's transparent to the user. RemoteApp was introduced with Windows Server 2008. Windows 7 brings us RemoteApp & Desktop (RAD) feeds, which provides more integration of the desktop and virtualized applications.
With RemoteApp & Desktop Connections, administrators can make Remote App programs and virtual desktops easy available to users with Windows 7 client computers; these resources will appear in the client's Start menu as if they were local resources.
So what is the security advantage? Virtualized applications can be more tightly controlled by IT administrators. You no longer have to worry about whether the proper updates have been applied to hundreds of instances of an application running on individual computers so you don't have the security threat that comes with some machines running unpatched applications. Administrators can add or remove resources and the RemoteApp & Desktop Connection will be automatically updated on users' client computers.
You can download the Step-by-Step Guide for deploying RemoteApp and Desktop Connection here.
The Remote Desktop Gateway is the replacement for Terminal Services Gateway and it's a server role in Windows Server 2008 R2 Standard, Enterprise and Datacenter editions through which remote users can access remote desktop servers or other computers with Remote Desktop enabled. It uses RDP over HTTPS to create a secure, encrypted connection over the Internet. A Server 2008 R2 RD Gateway also supports an option by which you can restrict remote desktop clients to connecting only to remote desktop servers that use secure device redirection. This helps to prevent malware on a remote client from overriding your security policies.
The latest version of the RDP Protocol (RDP v7), that runs on Windows Server 2008 R2 and Windows 7, also provides graphics rendering and multimedia enhancements that make the remote desktop experience better. For example, the Aero glass effect is now supported, multi-monitor support is better, DirectShow is supported, and performance is generally improved.
AppLocker is a new feature in Windows 7 and Server 2008 R2 that takes the place of the old Software Restriction Policies that were often difficult to use and limited in scope. AppLocker gives you far more flexibility, and its rules are more difficult to circumvent. AppLocker allows you to create rules to control what files can run, and assign those rules to specific users or groups (but not computers).
You can base the rules on such file attributes as the publisher, the product name, the file name or the file version, which are contained in the digital signature (Publisher rules). You can also restrict programs based on the directory path (Path rules), or you can use a cryptographic hash to identify the programs that you want to allow (Hash rules). You can also create exceptions for any of the three rule types.
By default and as a best security practice, AppLocker is configured to deny all files except those that are explicitly allowed. You can read more about AppLocker here.
BitLocker drive encryption was introduced in Vista, and was a great feature for laptops, but it was limited in usefulness because it could only encrypt the system partition. In Server 2008 and Vista SP1, it was enhanced to encrypt additional (non-system) partitions. Now, with Server 2008 R2 and Windows 7, BitLocker can be used to encrypt removable drives. With USB drives becoming ubiquitous, this is a welcome security enhancement, because the security threat presented by an employee who puts company data on a removable drive (for instance, to take home to work on during the evening or weekend) is very real. The portability of USB drives makes them easily lost or stolen.
Now, with the new BitLocker To Go feature in Windows Server 2008 R2 and Windows 7, IT administrators can use Group Policy to force users to enable BitLocker on removable drives before they can write to the drives, making them much more secure. The recovery key can be stored in the Active Directory. You can also block users from connecting non-encrypted USB drives to their computers. Policies are configured in Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.
Each version of the Windows operating system has added new security enhancements. The current culmination of this focus on security is Windows Server 2008 R2 and the soon-to-be-released Windows 7 client. Unlike with previous versions of the Windows client OS, in beta testing Windows 7 has proven to be remarkably stable and secure, so organizations - especially those that skipped upgrading to Vista and are still using Windows XP - should consider deploying this combination sooner, rather than later.