What's New for Information Protection in Windows Server 2008
Updated: May 1, 2008
Applies To: Windows Server 2008
Information protection technologies in the Windows Server® 2008 operating system can be used to secure data that is stored on a computer or on the network and data that is being transmitted across the network or Internet. In addition, these technologies can be used to manage who has the right to view this data.
Windows BitLocker™ Drive Encryption (BitLocker) is a new security feature in the Windows Server 2008 and Windows Vista® operating systems that can provide protection for the operating system on your computer and data stored on the operating system volume. In Windows Server 2008, BitLocker protection can be extended to volumes used for data storage as well, which is useful for computers in unsecured areas.
Several important enhancements to Encrypting File System (EFS) are provided in Windows Server 2008. These include the ability to store encryption certificates on smart cards, per-user encryption of files in the client-side cache, additional Group Policy options, and a new rekeying wizard.
Active Directory® Certificate Services (AD CS), formerly known as Certificate Services, includes the following changes in functionality in Windows Server 2008.
Cryptography Next Generation (CNG) in Windows Server 2008 provides a flexible cryptographic development platform that allows IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as AD CS, Secure Sockets Layer (SSL), and Internet Protocol security (IPsec). CNG implements the U.S. government's Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing.
Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In Windows Server 2008, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information.
The Network Device Enrollment Service is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that enables software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a CA.
The previous enrollment control, XEnroll.dll, has been replaced in Windows Server 2008 and Windows Vista with a new enrollment control, CertEnroll.dll. Although the Web enrollment process takes place essentially as it has for Windows® 2000, Windows XP, and Windows Server 2003, this change in enrollment controls can affect compatibility when users or computers running Windows Server 2008 or Windows Vista attempt to request a certificate by using Web enrollment pages installed on those earlier versions of Windows.
Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location. Configuring the settings by using Group Policy can effect changes throughout the entire domain. Administrators can use the new certificate-related settings to deploy intermediate CA certificates to client computers, ensure that users never install applications that have been signed with an unapproved publisher certificate, configure network timeouts to better control the chain-building timeouts for large CRLs, and extend CRL expiration times if a delay in publishing a new CRL is affecting applications.
In the Windows Server 2008 Enterprise operating system, the restricted enrollment agent allows limiting the permissions that enrollment agents have for enrolling smart card certificates on behalf of other users so that the process of enrolling on behalf of other users can be delegated to other individuals within more controlled parameters. By using the Certification Authority snap-in, you can create a permissions list for each enrollment agent to configure which users or security groups an enrollment agent can enroll on behalf of for each certificate template.
Originally part of the Microsoft Windows Server 2003 Resource Kit and called the PKI Health tool, Enterprise PKI is a Microsoft Management Console (MMC) snap-in for Windows Server 2008. Because it is now part of the operating system, you can use Enterprise PKI after server installation by simply adding it to an MMC console. It then becomes available to analyze the status of CAs installed on computers running Windows Server 2008 or Windows Server 2003.
Active Directory Domain Services (AD DS), formerly known as the Active Directory directory service, includes a new type of domain controller—the read-only domain controller (RODC)—in Windows Server 2008. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the AD DS database.
For Windows Server 2008, Active Directory Rights Management Services (AD RMS) includes several new features that were not available in Windows Rights Management Services (RMS). These new features were designed to ease administrative overhead of AD RMS and to extend its use outside of your organization. These new features include:
Inclusion of AD RMS in Windows Server 2008 as a server role
Administration through an MMC
Integration with Active Directory Federation Services (AD FS)
Self-enrollment of AD RMS servers
Ability to delegate responsibility by means of new AD RMS administrative roles