What's New for Secure Configuration Assessment and Management in Windows Server 2008
Applies To: Windows Server 2008
Secure configuration assessment and management tools and services are available for the Windows Server® 2008 operating system to administer security throughout a layered defense and manage ongoing threats. The following technologies are new or changed for Windows Server 2008.
Security auditing
A new command-line tool, Auditpol.exe, allows you to set detailed audit polices on securable objects.
Additional resources for security auditing
Server security policy management
In Windows Server 2008, there are many tools that you can use to help keep your computers secure. You can use the following three tools alone or together to manage the security policies on your servers:
Security Configuration Wizard (SCW) and the Scwcmd command-line tool
Security Templates snap-in
Security Configuration and Analysis snap-in
While these tools are not new, the ways in which you use them are.
Additional resources for server security policy management
Security Configuration Wizard
The version of SCW in Windows Server 2008 includes more server role configurations and security settings than the version of SCW in Windows Server 2003. By using the version of SCW in Windows Server 2008, you can:
Disable unneeded services based on the server role.
Remove unused firewall rules and constrain existing firewall rules.
Define restricted audit policies.
Reduce protocol exposure.
Additional resources for SCW
Authorization Manager
Authorization Manager is now included with the Windows Server 2008 and Windows Vista operating systems. The following are new and improved features of Authorization Manager:
Authorization Manager stores can now be stored in an SQL database, as well as in Active Directory® Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), or in an XML file.
Support for business rule groups (groups whose membership is determined at run time by a script) is now available.
Support is now available for custom object pickers, so that application administrators can use the Authorization Manager snap-in for applications that use AD LDS or SQL user accounts.
The Authorization Manager application programming interface (API) now includes optimizations of common functions and simpler, faster versions of commonly used methods, such as AccessCheck.
Lightweight Directory Access Protocol (LDAP) queries are not limited to only user objects.
Additional events are recorded in the event log if auditing is active.
The use of business rules and authorization rules is controlled by a registry setting. In Windows Server 2008, rules are disabled by default. In earlier versions of Windows, rules were enabled by default.
Additional resources for Authorization Manager
Group Policy
Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions that are responsible for writing specific policy settings on target client computers. These are the security-related changes to Group Policy in Windows Server 2008:
Group Policy preferences
Group Policy preferences are unmanaged settings that users can change after the settings are deployed. This allows configurations that are more compatible with your IT environment and tailored to your organization's computer use.
New Group Policy categories
The new categories of policy management provide cost savings through power management, the ability to block device installation, improved security settings, expanded Internet Explorer settings management, the ability to assign printers based on location, and the ability to delegate printer driver installation to users.
Multiple local Group Policy objects (GPOs)
As an administrator, you can apply multiple local GPOs to a single computer. This simplifies configuration management because you can create separate GPOs for different roles and apply them individually, just as you can with Active Directory GPOs.
Additional resources for Group Policy
Active Directory Domain Services
Fine-grained password policies
AD DS allows you to use fine-grained password policies to specify multiple password policies within a single domain. You can use these policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.
Additional resources for fine-grained password policies
Auditing
In Windows Server 2008, you can now set up AD DS auditing with a new audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects and their attributes.