How Microsoft IT Leverages Security Enhancements from Windows Server 2008 R2
Published: November 2010
The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.
Windows Server 2008 R2 offers significant security enhancements related to network access, branch offices, enforcement, and applications control. Learn how Microsoft IT leverages these enhancements to provide a safer and more secure environment for Microsoft employees and partners.
Products & Technologies
Technical decision makers
Windows Server 2008 R2 is an incremental upgrade that builds on the Windows Server 2008 foundation. By simultaneously releasing Windows Server 2008 R2 and Windows 7, Microsoft was able to build significant synergy between the two products. This article focuses on some of the technologies made possible by that synergy, including DirectAccess, BranchCache™, Network Access Protection (NAP), and AppLocker™. The article shows how the Information Security and Risk Management (InfoSec) team in Microsoft IT use these technologies and Extended Protection for Integrated Windows Authentication (IWA) to fulfill their mission of enabling secure and reliable business for Microsoft and its customers.
DirectAccess is a new feature in Windows Server 2008 R2 and Windows 7 that provides increased productivity for the mobile work force by offering the same connectivity experience inside and outside the office. With DirectAccess, trusted users on healthy devices on the Internet can securely access corporate resources such as e-mail servers, shared folders, or intranet Web sites without connecting through a Virtual Private Network (VPN). DirectAccess is on whenever the user has an Internet connection, giving users seamless access to intranet resources whether they are traveling, at the local coffee shop, or at home.
DirectAccess combines multiple Windows technologies to enable IP-layer connectivity between Windows computers and any other devices inside the corporate network. It is secured with Internet Protocol Security (IPsec) and strong host protections, including the Trusted Platform Module (TPM) and NAP. IPsec is used to enforce several security requirements that were traditionally implemented by VPNs, including encryption and user authentication.
Multiple remote access methods at Microsoft led to end user confusion about which technology to use at which time. And with the previous VPN solution, users had to wait through a long quarantine period while the system checked to see if the user's computer had the latest software patches, anti-virus signatures, and so on. Having multiple remote access technologies also led to increased overall overhead at Microsoft IT.
Microsoft IT first offered DirectAccess as a pilot to a subset of employees. Microsoft IT is currently deploying DirectAccess globally in a phased manner to all employees.
DirectAccess provides the following benefits for Microsoft IT:
Better User Experience. For users, DirectAccess simplifies the access choices. Users log into their computers the same way, whether they are local or remote, and have a uniform authentication experience. Users experience seamless connectivity and are no longer required to pick which service point to connect to depending on their physical location or where they are traveling. Users also get connected much faster since they no longer have to wait for scans at connection time.
Manageability of Remote Users. With the previous solution, the InfoSec team could only manage mobile computers when users connected to a VPN or came to the office. With DirectAccess, the InfoSec team can manage a mobile computer whenever that computer has Internet connectivity, even if the user is not logged on. This helps to ensure that mobile users stay up-to-date with security and system health policies. It also helps Microsoft IT meet their regulatory and privacy mandates for security and data protection on assets that roam beyond the traditional corporate network boundaries.
Improved Security. DirectAccess enables mobility while meeting increased security concerns driven by new threats, privacy requirements, and regulatory requirements.
Client Health NAP Integration. DirectAccess clients must be compliant with system health requirements before allowing a connection to a DirectAccess server. NAP provides continuous health enforcement—not just at the time of the VPN connection. For example, if a user or a process turns off Windows Firewall, NAP automatically turns it back on. Microsoft IT sees improved remediation time because clients are always protected.
System Health Agents (SHAs). Microsoft IT adds security enhancements by using SHAs such as the Microsoft® Forefront™ Client Security SHA.
Strong Authentication. DirectAccess uses IPsec to authenticate and encrypt connectivity information used to access the corporate network. Microsoft IT also configured the optional smart card enforcement feature as a requirement. This provides strong two-factor authentication for all network access. Microsoft IT enforces BitLocker® Drive Encryption for all DirectAccess clients by way of group policy. By using smart cards and BitLocker together, Microsoft IT limits the impact of lost or stolen devices.
Granular Network Access Controls. The DirectAccess server offers the ability to configure granular network access controls, so the InfoSec team can restrict user access to specific servers or applications.
NAP enforces health requirements by monitoring the health of client computers when users attempt to connect to the network or communicate on the network. Client computers that are not in compliance with the health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how an organization chooses to deploy NAP, non-compliant clients can be quarantined, put in a penalty box, or automatically updated so that users can quickly regain full network access. NAP is built into Windows Vista®, Windows Server 2008, and Windows XP Service Pack 3, but it has been refined in Windows Server 2008 R2 and Windows 7.
With NAP, there are three enforcement modes to choose from:
In an reporting mode, NAP automatically checks each client's policy compliance and delivers the data to a central repository. In this mode, NAP does not restrict user access to the network at all, even if the computer is non-compliant.
In deferred enforcement mode, users are not restricted from logging on to the network, but the IT organization is notified of the computer's non-compliance. The user sees a NAP pop-up notification, which educates the user about how to participate in the remediation process. If the auto remediation feature is turned on, NAP automatically fixes the client computer to bring it into compliance, if possible.
In full enforcement mode, NAP does not permit an unhealthy client to log on to the network at all. NAP directs the user to an isolated environment where the user can access remediation services, such as Windows Update. When the computer is compliant, the user is permitted to log on to the network.
Microsoft supplies NAP enforcement clients for IPsec, IEEE 802.1x authentication (wired and wireless), VPN connections, DHCP configuration, and Remote Desktop Gateway (formerly known as TS Gateway) connections. IPsec is the strongest and most flexible NAP enforcement mechanism. IPsec also provides network access protection for virtual clients.
With about 71,000 highly mobile users worldwide, Microsoft IT needed a new way to measure and improve the corporate security policy compliance of more than 300,000 client computers, including desktop computers, roaming portable computers (such as DirectAccess clients), visiting portable computers, and unmanaged home computers. The InfoSec team decided to install NAP to better manage the health of Microsoft's environment.
The InfoSec team determined that it would be best to use NAP for three different types of network access and communications: IPsec-protected traffic, DHCP address configurations, and VPN connections. But before the team could deploy NAP in any scenario, it needed to determine which system health agents (SHAs) to use. SHAs check each client's upgrade state, virus signature, system configuration, and so on for compliance with network access and communication security policies. The team decided to use three SHAs: the Windows SHA, the Forefront Client Security SHA, and the System Center Configuration Manager SHA. Next, the team made sure that those SHAs were installed and enabled on the client computers that were selected to be part of the initial NAP rollout.
The InfoSec team chose the IPsec scenario for the first deployment of a phased deployment approach because IPsec was already used for domain isolation at the company. The InfoSec team deployed NAP to approximately 130,000 client computers worldwide, based on their domain membership. The team began with NAP in reporting mode so that it could have its first comprehensive view of policy compliance at Microsoft. The team has since moved in large part to deferred enforcement with automatic remediation on all domain-joined servers using IPsec. The team found that this enforcement mode provided the best balance between security and business impact for their organization. As of October, 2010, Microsoft IT has deployed NAP to 388,051 clients. 113, 772 clients are reported by NAP on the Internet.
Through the use of NAP, Microsoft IT is encouraging an enhanced security environment for employees. NAP offers the following benefits:
Integration with DirectAccess. Because NAP is built into Windows Server 2008 R2 and Windows 7, it can be used with DirectAccess to verify that client computers meet health requirements before allowing them to make a DirectAccess connection to the corporate network.
Improved Compliance and Efficiency. NAP has enabled the InfoSec team to add efficiency to their security management process while increasing compliance with security policies. NAP provides improved security and helps Microsoft IT meet regulatory requirements while enabling users, such as the sales teams, to move outside the corporate network securely.
Speed. For VPN clients, NAP is much faster than the custom solution that it replaced because NAP evaluates health independent of connections. Previously, users had potentially long connect times because the scan package had to be downloaded and run each time that users connected.
Scalability and Flexibility. The InfoSec team can gradually help users remediate non-compliant computers without blocking access or adding significant management time. The InfoSec team deploys NAP for a variety of access scenarios with different levels of implementation. These access scenarios include VPN connections, IPsec, and DHCP.
BranchCache is a Windows 7 and Windows Server 2008 R2 feature that can help increase the network responsiveness of centralized applications when accessed from remote offices. When BranchCache is enabled, a copy of data accessed from intranet Web and file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache instead of downloading the same content again across the wide area network (WAN). This gives users in remote offices the same experience that they have when working on their local area network (LAN). BranchCache also helps reduce WAN utilization.
BranchCache can improve the performance of applications that use the HTTP and HTTPS protocols and the Server Message Block (SMB) protocol (used for Windows file shares). BranchCache only retrieves data from a server when the client requests it, and because BranchCache is a passive cache, it will not increase WAN utilization. BranchCache only caches read requests, so it will not interfere with a user saving a file.
Distributed Cache or Hosted Cache
BranchCache can operate in Distributed Cache mode or Hosted Cache mode. Distributed Cache mode uses a peer-to-peer architecture. Windows 7 client computers cache copies of files and send them directly to other Windows 7 clients as needed. Distributed Cache mode is especially useful in branch offices that do not have a local server.
Hosted Cache mode uses the client/server architecture. Windows 7 client computers cache content to a computer on the LAN running Windows Server 2008 R2 (the Hosted Cache). Other clients that need the same content retrieve it directly from the Hosted Cache. This computer can run Server Core and can also host other applications.
The Role of Content Metadata
When a second Windows 7 client requests the same file from the content server, a user is authenticated and authorized in exactly the same manner as if BranchCache was not being used. If successful, the content server returns content metadata over the same channel that data would normally have been sent. The metadata is the mechanism for reducing bandwidth, because the metadata is significantly smaller than the actual content. It is important that the content server sends the metadata to each client to ensure that a client always receives hashes for the most up-to-date content. The content is broken into blocks. For each block, a hash is computed (known as the block hash). A hash is also computed on a collection of blocks (known as the segment hash). Content metadata is primarily composed of block hashes and segment hashes. The segment hashes provide a unit of discovery. The hash algorithm used is Secure Hash Algorithm 256. The compression ratio achieved is approximately 2000:1, so the size of the metadata sent over the wire is approximately 2000 times smaller than the size of the original data itself.
For Microsoft IT, the trend toward data centralization places more content in data centers that are remote from branch offices. A very large (and increasing) number of remote sites are connected to these data centers. These remote sites range in size from very small (less than 10 users) to very large (greater than 5000 users). Microsoft IT WAN links between data centers and branch offices are thin and expensive. This leads to high link utilization and slow over-WAN application and data access, which impacts user productivity. Improving network performance is expensive, however, and difficult to implement.
In the Microsoft IT environment, 232 of the remote sites have Microsoft IT-managed United Services Platform (USP) servers deployed. 110 of the 232 sites have been upgraded to the next generation remote site platform, which is referred to as Virtual Branch Office Server (VBOS).
The remote sites without VBOS servers were candidates for the use of Distributed Cache mode. The initial Distributed Cache deployment included Montreal, Ottawa, and Hyderabad. The InfoSec team created one group policy object (GPO) for Distributed Cache mode because the same GPO works for any site. For the Windows Server 2008 R2 deployment, the InfoSec team linked this GPO to the corporate domains (Africa, North America, and so on) to turn on Distributed Cache everywhere. The Redmond domain did not receive the Distributed Cache GPO since the Puget Sound area does not represent the target audience for BranchCache. Other sites with large numbers of local data center servers, such as Dublin and Singapore, were also blocked from receiving the Distributed Cache GPO.
The remote sites with VBOS servers were excellent candidates for Hosted Cache mode. An additional virtual machine was installed on each VBOS server and configured as a Hosted Cache. Group policy was applied to the remote site, enabling BranchCache on Windows 7 clients and pointing them to the local Hosted Cache virtual machine for content retrieval.
Each of the sites with VBOS servers needed an individual GPO linked to the site. This is because the GPO must include the name of the Hosted Cache server on the local VBOS. These 232 site-based GPOs take precedence over the domain-based Distributed Cache GPO.
BranchCache provides the following benefits for Microsoft IT:
Performance. Because BranchCache does not require any infrastructure, the InfoSec team was able to improve the performance of remote networks simply by deploying Windows 7 to client computers, deploying Windows Server 2008 R2 to servers, and enabling BranchCache. The performance improvements made possible by BranchCache were better than that of network appliances for the cached data.
Seamless Integration with Network Security Technologies. BranchCache works seamlessly with network security technologies, including Secure Socket Layers (SSL), Server Message Block (SMB) signing, and end-to-end IPsec. This is very important for Microsoft IT because IPsec is a critical component of Microsoft IT's security strategy. IPsec protects the network from threats and from malware proliferation through isolation and strong computer authentication and it is the building block for many other Microsoft IT security initiatives including NAP and DirectAccess.
Encryption Compatible. BranchCache can also be used to reduce network bandwidth utilization and to improve application performance even if the content is encrypted. The process requires that a content server authenticates and authorizes a client before retrieving content from within the branch. Additionally, the content server returns content metadata to a requesting client to ensure that the client references the current version of requested content in the content server.
AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that provides the ability to control the installation and use of applications. This application standardization provides security, operational, and compliance benefits.
An administrator can use AppLocker to:
Prevent users from installing and using unauthorized applications that increase Helpdesk support costs
Keep unlicensed software from running
Allow users to install and run improved applications and software updates based on business needs
Help prevent malware and unsupported applications from affecting computers
Ease enterprise software deployments and maintenance through effective desktop configuration management
Help ensure desktops are in compliance with corporate policies and industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley, the Health Insurance Portability and Accounting Act (HIPAA), Basel II, and others.
Stop users from running applications that needlessly consume network bandwidth or otherwise negatively impact the enterprise computing environment
White Lists and Black Lists
AppLocker provides a simple and powerful structure with three different rule types: allow rules, deny rules, and exception rules. Allow rules limits the execution of applications to whatever is on an organization's white list and blocks everything else. Deny rules takes the opposite approach. It allows execution of anything except what is on an organization's black list. Blacklisting is very useful to help enforce application policies on corporate network hosts. For example, the InfoSec team could disallow insecure down-level versions of applications or any applications that are explicitly forbidden on the corporate network such as file share, peer-to-peer, or remote-control applications. However, it is important to keep in mind that blacklisting could be bypassed by a malicious user who has or gains admin privileges. Blacklisting should therefore not be expected to protect against intentional running of unauthorized software by a user with admin privileges.
Many enterprises will likely use a combination of allow rules and deny rules. An administrator can also use exception rules together with allow rules or deny rules to exclude files from an allow/deny rule. For example, an administrator could use exception rules to create a rule that would allow everything in the Windows operating system to run except the built-in games. Using allow rules with exception rules provides a good way to build a known good list of applications without having to create an inordinate number of rules.
Microsoft IT provides access to customer-support applications and session-based connectivity to third-party call center support partners. Customer Support Representatives (CSRs) need to be on site or have full network access with wide bandwidth to use the thick client support applications. The previous solution used software restrictions policies, but the policies were complex to set up and difficult and expensive to maintain and troubleshoot.
Microsoft IT implemented AppLocker using allow rules because the CSRs needed to run only specific applications such as the client support application and security requirements dictated that CSRs not be able to run anything else on the Microsoft network. With the AppLocker solution, CSRs log on to Windows Server 2008 R2 Remote Desktop Services (RDS) servers hosted directly on the Microsoft extranet network. Running the support applications with direct network access allows these applications to interact directly with Microsoft IT's support information databases. The call center analysts can query the internal knowledge base and interact with or escalate support tickets directly to Microsoft employees. This provides customers with a single, seamless support team and experience. The AppLocker deployment provides a much simpler solution than the previous solution. With the new solution, the Operations Configuration Manual and Lockdown Guide decreased in size from 30 to 6 pages.
AppLocker provides the following benefits for Microsoft IT:
Easy Creation of White Lists and Black Lists. Before AppLocker, doing any blacklisting or whitelisting of applications was very difficult for Microsoft IT. The allow rules, deny rules, and exception rules give administrators a great deal of flexibility for different situations.
Application Updates. The InfoSec team makes extensive use of a new feature called publisher rules that are based on application digital signatures. This feature makes it possible to build rules that survive application updates by being able to specify attributes such as the version of an application. For example, the InfoSec team could create a rule that allows all versions greater than 7.0 of Microsoft Word to run if signed by the publisher (Microsoft, in this case). When Microsoft updates Word, an administrator can safely push out that update without having to go back to the policy to build another rule for the new version of the application each time it is updated.
Finer Granularity. AppLocker rules can be associated with a specific user, group, or organization. This provides granular controls that enable the InfoSec team to support the client's requirements by validating or enforcing which users can run specific applications. For example, the team could create a rule to allow the people in the Finance department to run all of the Finance Line of Business applications. This rule would block everyone who is not in the Finance department from running the Finance applications, including administrators. But it provides access for those who have the business need to run these applications.
Support for Multiple, Independently Configurable Policies. Multiple independently configurable policies (executables, installers, scripts, and DLLs) enable the InfoSec team to build rules that go beyond the traditional executable-only solutions, providing greater flexibility and enhanced protection. The team can retain control but empower users to keep their systems up-to-date based upon their business needs. In addition, each of these policies can be individually placed into an audit-only mode, which enables the team to test rules before implementation.
Easier Rule Creation. AppLocker provides rule-creation tools and wizards. These tools use a step-by-step approach to create new rules, automatically generate rules, and import and export rules. For example, the InfoSec team could automatically generate rules using a test reference machine and then import the rules into a production environment for widespread deployment. The team could also export policy to provide a backup of the production configuration or to provide documentation for compliance purposes.
Extended Protection for Integrated Windows Authentication
The InfoSec team also makes use of a new feature called Extended Protection for Integrated Windows Authentication (IWA) that helps protect authentication credentials when using IWA. It prevents an attacker from getting access to credentials through another attack (for example, through social engineering), and then using those credentials to log into another server to which the client has legitimate access. These types of authentication relay attacks or "man-in-the-middle" attacks are not new but they can pose a significant risk in specific deployment scenarios.
There are two components to Extended Protection for IWA: Service Binding and Channel Binding.
Service Binding is an unforgeable statement by the client about the Service Principle Name (SPN) of the server to which it wishes to authenticate. The InfoSec team deploys Service Binding to mitigate the risk of authentication relay attacks with Server Message Block (SMB). SMB Service Binding has replaced SMB signing in areas where performance degradation had impacted the business.
Channel Binding makes use of a secured outer channel, a client-authenticated inner channel, and a Channel Binding Token (CBT), which is passed to the server. The CBT is a property of the secured outer channel and is independently arrived at by both the client and the server. It is used to bind that outer channel to a conversation over the client-authenticated inner channel. This CBT value cannot be controlled or influenced by the attacker. A CBT-aware server compares the CBT contained in the client authentication information (which corresponds to the client-attacker channel) to the CBT attached to the attacker-server channel. If the client-attacker CBT does not match the attacker-server CBT, the server detects the man-in-the-middle attack and refuses the authentication request.
The InfoSec team configures Channel Binding on all Internet-facing IIS Servers using IWA.
To fulfill their mission of enabling secure and reliable business for Microsoft and Microsoft's customers, the InfoSec team in Microsoft IT leverages enhancements in Windows Server 2008 R2. The team makes extensive use of technologies made possibly by the synergy between Windows Server 2008 R2 and Windows 7, including DirectAccess, NAP, BranchCache, and AppLocker.
The InfoSec team uses:
DirectAccess to provide a seamless, secure, and uniform connectivity experience for mobile users on the Internet who want to access intranet resources on the corporate network. The InfoSec team also uses DirectAccess to manage mobile computers whenever those computers have Internet connectivity.
NAP together with DirectAccess to monitor the health of client computers when users attempt to connect to or communicate on the corporate network. The team also uses NAP to remediate computers that are out of compliance.
BranchCache to help increase network performance of centralized applications when accessed from remote offices while still allowing encryption. BranchCache provides better performance improvements than a network appliance solution. Microsoft IT also benefits from the reduced WAN utilization.
AppLocker to control the installation and use of applications
Extended Protection for IWA to protect authentication credentials from man-in-the-middle attacks.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
© 2010 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, AppLocker, BitLocker, BranchCache, Forefront, Vista, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.