Security and Protection

 

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

This collection contains descriptions and links to information about changes in security technologies in Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8.

The following table provides links to available information for the IT professional about security technologies and features for Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8. More technologies and features will be added to this table as content becomes available.

Feature or Technology

Overview

What changed in Windows Server 2012 R2

What changed in Windows Server 2012

Access Control

Access Control Overview

Access control helps protect files, applications, and other resources from unauthorized use.

The Protected Users security group and Authentication Policy Silos add more credentials protection. They are administered through Active Directory Domain Services.

A restricted administration mode is available in the Remote Desktop Services (RDS) client.

For more information see, Credentials Protection and Management.

Added the ability to use dynamic rules-based policies to protect shared folders and files. For more information, see Dynamic Access Control: Scenario Overview

Redesigned the Access Control List Editor (ACL editor) to more clearly present key information needed to assess and manage access control. For more information, see Enhanced ACL Editor.

AppLocker

AppLocker Overview

AppLocker provides policy-based access control management for applications.

To assist you in process analysis, AppLocker captures command information for each process at runtime, and writes that data to the security log and states, ”The system is attempting to launch a process with the following attributes:”

Added functionality to set rules on app packages, which helps manage Windows Store apps. For more information, see Packaged Apps and Packaged App Installer Rules in AppLocker.

BitLocker

BitLocker Overview

BitLocker Drive Encryption enables you to encrypt all data that is stored on the operating system volume and configured data volumes for computers running supported versions of Windows. By using a Trusted Platform Module (TPM), it can help ensure the integrity of early startup components.

Broadening support for additional platforms.

Recovery password now FIPS-compliant.

For more information, see What's New in BitLocker.

Added improvements for provisioning and encryption methods, the ability for standard users to change their PINs, support for encrypted hard drives, and a network unlock feature. For more information, see What's New in BitLocker for Windows 8 and Windows Server 2012 [redirected].

Credential Locker

Credential Locker Overview

Credential Locker is managed through the Control Panel by Credential Manager, and supports mostly consumer scenarios.

Enhancement of credential storage through web authentication broker-capable apps, and ability to select a default credential for each site

Added ability to program Windows Store apps to use Credential Locker, and improvements to credential roaming (which is set to be disabled for domain-joined computers. For more information, see New and changed functionality.

Credentials protection

 Credentials protection and management.

New techniques and features to manage and protect credentials during authentication.

Added additional LSA protection configuration options, new security group, new ways to group users and apply specific authentication policies,

For more information, see Credentials Protection and Management

Not available

Encrypted Hard Drive

Encrypted Hard Drive

Encrypted Hard Drive is a feature that is provided with BitLocker to enhance data security and management.

Device encryption is available on most editions of Windows.

For more information, see Device encryption.

Introduced in Windows Server 2012 and Windows 8. For more information, see Support for Encrypted Hard Drives for Windows.

Exchange ActiveSync Policy Engine

Exchange ActiveSync Policy Engine Overview

Set of APIs that enable apps to apply EAS policies on desktops, laptops, and tablets to protect data that is synchronized from the cloud, such as data from Exchange Server.

In certain cases, biometrics sign-in methods are not disabled when the failed-attempts limit is exceeded.

For more information, see New and changed functionality.

Introduced in Windows Server 2012.

Group Managed Service Accounts

Group Managed Service Accounts Overview

The group Managed Service Account provides the same functionality as the standalone Managed Service Account within the domain, and it extends that functionality over multiple servers.

No changes.

Added the group Managed Service Account. For more information, see What's New for Managed Service Accounts.

Kerberos

Kerberos Authentication Overview

Kerberos protocol is an authentication mechanism that verifies the identity of a user or host.

Change of behavior when the account is in the Protected User security group.

For more information, see Credentials protection and management.

Reduced authentication failures due to larger service tickets, added changes for developers and IT professionals, changes to smart card sign on KDC validation defaults, and added configuration and maintenance improvements.

Important

For domain-joined devices, the default changed so that now smart card sign-on requires that the KDC certificate chains to a CA in the NTAuth store.

For more information, see What's New in Kerberos Authentication

Local Computer Policy Settings

Security Policy Settings Overview

Security policy settings are the configurable rules that the operating system follows when it determines the permissions to grant in response to a request for access to resources.

Group Policy Administrative Templates can also be used for security management.

The policy setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingwas changed to reflect changes in the BitLocker recovery password process.

For improved process auditing, Audit Process Creation was added to the System node of Administrative Templates under Computer Configuration.

Added new security policies to improve security management. For more information, see New and changed functionality.

NTLM

NTLM Overview

The NTLM authentication protocols are based on a challenge-and-response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

Change of behavior when the account is in the Protected User security group.

For more information, see Protected Users Security Group.

No changes.

Passwords

Passwords Overview

The most common method for authenticating a user's identity is to use a secret passphrase or password as part of the sign-in process.

No changes.

Microsoft offers other means for proving identity. For more information, see Smart Card Overview and Virtual smart cards.

No changes.

Security Auditing

Security Auditing Overview

Security auditing can help identify attacks (successful or not) that pose a threat to your network, or attacks against resources that you have determined are of value through a risk assessment.

No changes.

Added expression-based audit policies, and improvements in the ability to audit new types of securable objects and removable storage devices. For more information, see What's New in Security Auditing.

Security Configuration Wizard

Security Configuration Wizard

The Security Configuration Wizard is an attack-surface reduction tool that helps administrators create security policies that are based on the minimum functionality required for a server's roles.

No changes.

No changes.

Smart Cards

Smart Card Overview

Smart cards provide a tamper-resistant and portable security solution for tasks such as authenticating clients, signing in to domains, signing code, and securing email.

The process to enroll TPM-enabled devices as a virtual smart card device has improved. APIs are added to simplify the enrollment process, making it easier to enroll a device with a virtual smart card regardless of whether they are domain joined and regardless of the hardware.

Changed the smart card sign-in experience, service start and stop behavior, and smart card transactions, by adding support for Windows RT devices and Windows 8 applications. For more information, see What's New in Smart Cards.

Software Restriction Policies

Software Restriction Policies

Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run.

No changes.

No changes.

Added greater flexibility for AppLocker to control programs in your enterprise. For more information, see AppLocker Overview.

TLS/SSL (Schannel SSP)

TLS-SSL (Schannel SSP) Overview

Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.

Supports server-side “TLS/SSL Session Resumption without Server-Side State extension” (also known as RFC 5077).

Addition of the client-side Application Protocol Negotiation

For more information, see What's New in TLS/SSL (Schannel SSP) in Windows Server 2012 R2 and Windows 8.1.

Changed how trusted issuers for client authentication can be managed, added TLS support for Server Name Indicator (SNI) Extensions, and added Datagram Transport Layer Security (DTLS) for the provider. For more information, see What's New in TLS/SSL (Schannel SSP) in Windows Server 2012 and Windows 8.

Trusted Platform Module (TPM)

Trusted Platform Module Technology Overview

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions.

Improvements to the TPM Key Storage Provider for platform and key attestation.

For more information, see Malware resistance and What's New for the TPM in Windows 8.1.

Improved administration and functionality, including automated provisioning and management, Measured Boot with support for attestation, TPM-based Virtual Smart Card, and secure storage for critical elements. For more information, see New and changed functionality.

User Account Control (UAC)

User Account Control Overview

UAC helps mitigate the impact of malicious programs.

No changes.

Refined to allow easier administration of UAC configuration and messages. For more information, see New and changed functionality.

Virtual Smart Card

Virtual smart cards offer multifactor authentication and compatibility with many smart card infrastructures, and offer users the convenience of not having to carry a physical card, so users are more likely to follow their organization’s security guidelines rather than working around them.

Understanding and Evaluating Virtual Smart Cards

The process to enroll TPM-enabled devices as a virtual smart card device has improved. APIs are added to simplify the enrollment process, making it easier to enroll a device with a virtual smart card regardless of whether they are domain joined and regardless of the hardware.

For more information, see Virtual smart cards

Introduced in Windows Server 2012.

Windows Biometric Framework and Windows Biometrics

Windows Biometric Framework Overview [W8]

The Windows Biometric Framework (WBF) is a set of services and interfaces that permit consistent development and management of biometric devices, such as fingerprint readers. WBF improves the reliability and compatibility with biometric services and drivers.

Enhanced the client and associated APIs.

For more information, see Fingerprint biometrics.

Better integration of fingerprint readers with Fast User Switching, and synchronization of passwords with fingerprints. For more information, see New and changed functionality

Windows Defender

Windows Defender is a full-featured antimalware solution that is capable of detecting and stopping a wider range of potentially malicious software, including viruses.

Available and enabled by default on Server Core installation options and Core System Server (without the user interface).

For more information, see Windows Defender.

Upgraded from antispyware to a full-featured antimalware solution that is capable of detecting and stopping a wider range of potentially malicious software, including viruses.

See also

Secure Windows Server 2012 R2 and Windows Server 2012

Secure Windows [Win8]

What's Changed in Security Technologies in Windows 8.1 [Win 8.1]