One of the security challenges for critical network applications such as Exchange and IIS is selecting the appropriate type of account for the application to use.
On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.
If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but at a cost of additional administration and complexity.
In these deployments, service administrators spend a considerable amount of time in maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
What's new in service accounts?
Two new types of service account available in Windows Server 2008 R2 and Windows 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as SQL Server and Internet Information Services (IIS) with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts.
Virtual accounts in Windows Server 2008 R2 and Windows7 are “managed local accounts” that can use a computer’s credentials to access network resources.
Who will want to use managed service accounts?
The managed service account and the virtual account are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Administrators will want to use managed service accounts to enhance security while simplifying or eliminating the following service administration tasks:
Password management
SPN management
Virtual accounts provide the following features that simplify service administration by:
Eliminating password management
Allowing services to access the network with the computer’s account credentials in a domain environment
Thursday, July 9, 2009
What's New in Service Accounts
One of the security challenges for critical network applications such as Exchange and IIS is selecting the appropriate type of account for the application to use.
On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.
If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but at a cost of additional administration and complexity.
In these deployments, service administrators spend a considerable amount of time in maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
What's new in service accounts?
Two new types of service account available in Windows Server 2008 R2 and Windows 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as SQL Server and Internet Information Services (IIS) with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts.
Virtual accounts in Windows Server 2008 R2 and Windows7 are “managed local accounts” that can use a computer’s credentials to access network resources.
Who will want to use managed service accounts?
The managed service account and the virtual account are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Administrators will want to use managed service accounts to enhance security while simplifying or eliminating the following service administration tasks:
Password management
SPN management
Virtual accounts provide the following features that simplify service administration by:
Eliminating password management
Allowing services to access the network with the computer’s account credentials in a domain environment
On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.
If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but at a cost of additional administration and complexity.
In these deployments, service administrators spend a considerable amount of time in maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
What's new in service accounts?
Two new types of service account available in Windows Server 2008 R2 and Windows 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as SQL Server and Internet Information Services (IIS) with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts.
Virtual accounts in Windows Server 2008 R2 and Windows7 are “managed local accounts” that can use a computer’s credentials to access network resources.
Who will want to use managed service accounts?
The managed service account and the virtual account are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Administrators will want to use managed service accounts to enhance security while simplifying or eliminating the following service administration tasks:
Password management
SPN management
Virtual accounts provide the following features that simplify service administration by:
Eliminating password management
Allowing services to access the network with the computer’s account credentials in a domain environment
What does URL-based QoS do?
QoS marks IP packets with a Differentiated Services Code Point (DSCP) number that routers then examine to determine the priority of the packet. If packets are queued at the router, higher priority packets are sent before lower priority packets. With URL-based QoS, IT professionals can prioritize network traffic based on the source URL, in addition to prioritization based on IP address and ports. This gives IT professionals more control over network traffic, ensuring that important Web traffic is processed before less-important traffic, even when that traffic originates at the same server. This can improve performance on busy networks. For example, you can assign Web traffic for critical internal Web sites a higher priority than external Web sites. Similarly non-work-related Web sites that can consume network bandwidth can be assigned a lower priority so that other traffic is not affected.
What does mobile broadband device support do?
The Windows 7 operating system provides a driver-based model for mobile broadband devices. Earlier versions of Windows require users of mobile broadband devices to install third-party software, which is difficult for IT professionals to manage because each mobile broadband device and provider has different software. Users also have to be trained to use the software and must have administrative access to install it, preventing standard users from easily adding a mobile broadband device. Now, users can simply connect a mobile broadband device and immediately begin using it. The interface in Windows 7 is the same regardless of the mobile broadband provider, reducing the need for training and management efforts.
What do multiple active firewall profiles do?
Windows Firewall settings are determined by the profile that you are using. In previous versions of Windows, only one firewall profile can be active at a time. Therefore, if you have multiple network adapters connected to different network types, you still have only one active profile—the profile providing the most restrictive rules. In Windows Server 2008 R2 and Windows 7, each network adapter applies the firewall profile that is most appropriate for the type of network to which it is connected: Private, Public, or Domain. This means that if you are at a coffee shop with a wireless hotspot and connect to your corporate domain network by using a VPN connection, then the Public profile continues to protect the network traffic that does not go through the tunnel, and the Domain profile protects the network traffic that goes through the tunnel. This also addresses the issue of a network adapter that is not connected to a network. In Windows 7 and Windows Server 2008 R2, this unidentified network will be assigned the Public profile, and other network adapters on the computer will continue to use the profile that is appropriate for the network to which they are attached.
What does mobile broadband device support do?
The Windows 7 operating system provides a driver-based model for mobile broadband devices. Earlier versions of Windows require users of mobile broadband devices to install third-party software, which is difficult for IT professionals to manage because each mobile broadband device and provider has different software. Users also have to be trained to use the software and must have administrative access to install it, preventing standard users from easily adding a mobile broadband device. Now, users can simply connect a mobile broadband device and immediately begin using it. The interface in Windows 7 is the same regardless of the mobile broadband provider, reducing the need for training and management efforts.
What do multiple active firewall profiles do?
Windows Firewall settings are determined by the profile that you are using. In previous versions of Windows, only one firewall profile can be active at a time. Therefore, if you have multiple network adapters connected to different network types, you still have only one active profile—the profile providing the most restrictive rules. In Windows Server 2008 R2 and Windows 7, each network adapter applies the firewall profile that is most appropriate for the type of network to which it is connected: Private, Public, or Domain. This means that if you are at a coffee shop with a wireless hotspot and connect to your corporate domain network by using a VPN connection, then the Public profile continues to protect the network traffic that does not go through the tunnel, and the Domain profile protects the network traffic that goes through the tunnel. This also addresses the issue of a network adapter that is not connected to a network. In Windows 7 and Windows Server 2008 R2, this unidentified network will be assigned the Public profile, and other network adapters on the computer will continue to use the profile that is appropriate for the network to which they are attached.
What does VPN Reconnect do?
VPN Reconnect is a new feature of Routing and Remote Access service (RRAS) that provides users with seamless and consistent VPN connectivity, automatically reestablishing a VPN when users temporarily lose their Internet connection. Users who connect using wireless mobile broadband will benefit most from this capability. With VPN Reconnect, Windows 7 automatically reestablishes active VPN connections when Internet connectivity is reestablished. Although the reconnection might take several seconds, it is transparent to users.
VPN Reconnect uses IPsec tunnel-mode with Internet Key Exchange version 2 (IKEv2), which is described in RFC 4306, specifically taking advantage of the IKEv2 mobility and multihoming extension (MOBIKE) described in RFC 4555.
Are there any special considerations?
VPN Reconnect is implemented in the RRAS role service of the Network Policy and Access Services (NPAS) role of a computer running Windows Server 2008 R2. Infrastructure considerations include those for NPAS and RRAS. Client computers must be running Windows 7 to take advantage of VPN Reconnect.
What does BranchCache do?
With BranchCache, content from Web and file servers on the enterprise WAN is stored on the local branch office network to improve response time and reduce WAN traffic. When another client at the same branch office requests the same content, the client can access it directly from the local network without obtaining the entire file across the WAN. BranchCache can be set up to operate in either a distributed cache mode or a hosted cache mode. Distributed cache mode uses a peer-to-peer architecture. Content is cached at the branch office on the client computer that firsts requests it. The client computer subsequently makes the cached content available to other local clients. Hosted cache mode uses a client/server architecture. Content requested by a client at the branch office is subsequently cached to a local server (called the hosted cache server), where it is made available to other local clients. In either mode, before a client retrieves content, the server where the content originates authorizes access to the content, and content is verified to be current and accurate using a hash mechanism.
Are there any special considerations?
BranchCache supports HTTP, including HTTPS, and Server Message Block (SMB), including signed SMB. Content servers and the hosted cache server must be running Windows Server 2008 R2, and client computers must be running Windows 7.
VPN Reconnect uses IPsec tunnel-mode with Internet Key Exchange version 2 (IKEv2), which is described in RFC 4306, specifically taking advantage of the IKEv2 mobility and multihoming extension (MOBIKE) described in RFC 4555.
Are there any special considerations?
VPN Reconnect is implemented in the RRAS role service of the Network Policy and Access Services (NPAS) role of a computer running Windows Server 2008 R2. Infrastructure considerations include those for NPAS and RRAS. Client computers must be running Windows 7 to take advantage of VPN Reconnect.
What does BranchCache do?
With BranchCache, content from Web and file servers on the enterprise WAN is stored on the local branch office network to improve response time and reduce WAN traffic. When another client at the same branch office requests the same content, the client can access it directly from the local network without obtaining the entire file across the WAN. BranchCache can be set up to operate in either a distributed cache mode or a hosted cache mode. Distributed cache mode uses a peer-to-peer architecture. Content is cached at the branch office on the client computer that firsts requests it. The client computer subsequently makes the cached content available to other local clients. Hosted cache mode uses a client/server architecture. Content requested by a client at the branch office is subsequently cached to a local server (called the hosted cache server), where it is made available to other local clients. In either mode, before a client retrieves content, the server where the content originates authorizes access to the content, and content is verified to be current and accurate using a hash mechanism.
Are there any special considerations?
BranchCache supports HTTP, including HTTPS, and Server Message Block (SMB), including signed SMB. Content servers and the hosted cache server must be running Windows Server 2008 R2, and client computers must be running Windows 7.
What does DirectAccess do?
With the DirectAccess feature introduced in Windows Server 2008 R2, domain member computers running Windows 7 can connect to enterprise network resources whenever they connect to the Internet. During access to network resources, a user connected to the Internet has virtually the same experience as if connected directly to an organization's local area network (LAN). Furthermore, DirectAccess enables IT professionals to manage mobile computers outside of the office. Each time a domain member computer connects to the Internet, before the user logs on, DirectAccess establishes a bi-directional connection that enables the client computer to stay up to date with company policies and receive software updates.
Security and performance features of DirectAccess include authentication, encryption, and access control. IT professionals can configure the network resources to which each user can connect, granting unlimited access or allowing access only to specific servers or networks. DirectAccess also offers a feature that sends only the traffic destined for the enterprise network through the DirectAccess server. Other Internet traffic is routed through the Internet gateway that the client computer uses. This feature is optional, and DirectAccess can be configured to send all traffic through the enterprise network.
Are there any special considerations?
The DirectAccess server must be running Windows Server 2008 R2, must be a domain member, and must have two physical network adapters installed. Dedicate the DirectAccess server only to DirectAccess and do not have it host any other primary functions. DirectAccess clients must be domain members running Windows 7. Use the Add Features Wizard in Server Manager to install the DirectAccess Management console, which enables you to set up the DirectAccess server and monitor DirectAccess operations after setup.
Infrastructure considerations include the following:
Active Directory Domain Services (AD DS). At least one Active Directory® domain must be deployed. Workgroups are not supported.
Group Policy. Group Policy is recommended for deployment of client settings.
Domain controller. At least one domain controller in the domain containing user accounts must be running Windows Server 2008 or later.
Public key infrastructure (PKI). A PKI is required to issue certificates. External certificates are not required. All SSL certificates must have a certificate revocation list (CRL) distribution point that is reachable via a publicly resolvable fully qualified domain name (FQDN) while either local or remote.
IPsec policies. DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. It is recommended that administrators be familiar with IPsec.
IPv6. IPv6 provides the end-to-end addressing necessary for clients to maintain constant connectivity to the enterprise network. Organizations that are not yet ready to fully deploy IPv6 can use IPv6 transition technologies such as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), Teredo, and 6to4 to connect across the IPv4 Internet and to access IPv4 resources on the enterprise network. IPv6 or transition technologies must be available on the DirectAccess server and allowed to pass through the perimeter network firewall.
Security and performance features of DirectAccess include authentication, encryption, and access control. IT professionals can configure the network resources to which each user can connect, granting unlimited access or allowing access only to specific servers or networks. DirectAccess also offers a feature that sends only the traffic destined for the enterprise network through the DirectAccess server. Other Internet traffic is routed through the Internet gateway that the client computer uses. This feature is optional, and DirectAccess can be configured to send all traffic through the enterprise network.
Are there any special considerations?
The DirectAccess server must be running Windows Server 2008 R2, must be a domain member, and must have two physical network adapters installed. Dedicate the DirectAccess server only to DirectAccess and do not have it host any other primary functions. DirectAccess clients must be domain members running Windows 7. Use the Add Features Wizard in Server Manager to install the DirectAccess Management console, which enables you to set up the DirectAccess server and monitor DirectAccess operations after setup.
Infrastructure considerations include the following:
Active Directory Domain Services (AD DS). At least one Active Directory® domain must be deployed. Workgroups are not supported.
Group Policy. Group Policy is recommended for deployment of client settings.
Domain controller. At least one domain controller in the domain containing user accounts must be running Windows Server 2008 or later.
Public key infrastructure (PKI). A PKI is required to issue certificates. External certificates are not required. All SSL certificates must have a certificate revocation list (CRL) distribution point that is reachable via a publicly resolvable fully qualified domain name (FQDN) while either local or remote.
IPsec policies. DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. It is recommended that administrators be familiar with IPsec.
IPv6. IPv6 provides the end-to-end addressing necessary for clients to maintain constant connectivity to the enterprise network. Organizations that are not yet ready to fully deploy IPv6 can use IPv6 transition technologies such as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), Teredo, and 6to4 to connect across the IPv4 Internet and to access IPv4 resources on the enterprise network. IPv6 or transition technologies must be available on the DirectAccess server and allowed to pass through the perimeter network firewall.
What's New in Networking
What are the major changes?
The Windows Server® 2008 R2 and Windows® 7 operating systems include networking enhancements that make it easier for users to get connected and stay connected regardless of their location or type of network. These enhancements also enable IT professionals to meet the needs of their business in a secure, reliable, and flexible way.
New networking features covered in this topic include:
DirectAccess, which enables users to access an enterprise network without the extra step of initiating a virtual private network (VPN) connection.
VPN Reconnect, which automatically re-establishes a VPN connection as soon as Internet connectivity is restored, saving users from re-entering their credentials and re-creating the VPN connection.
BranchCache™, which enables updated content from file and Web servers on a wide area network (WAN) to be cached on computers at a local branch office, increasing application response time and reducing WAN traffic.
URL-based Quality of Service (QoS), which enables you to assign a priority level to traffic based on the URL from which the traffic originates.
Mobile broadband device support, which provides a driver-based model for devices that are used to access a mobile broadband network.
Multiple active firewall profiles, which enable the firewall rules most appropriate for each network adapter based on the network to which it is connected.
Who will be interested in these features?
The following groups might be interested in these features:
IT managers
System architects and administrators
Network architects and administrators
Security architects and administrators
Application architects and administrators
Web architects and administrators
The Windows Server® 2008 R2 and Windows® 7 operating systems include networking enhancements that make it easier for users to get connected and stay connected regardless of their location or type of network. These enhancements also enable IT professionals to meet the needs of their business in a secure, reliable, and flexible way.
New networking features covered in this topic include:
DirectAccess, which enables users to access an enterprise network without the extra step of initiating a virtual private network (VPN) connection.
VPN Reconnect, which automatically re-establishes a VPN connection as soon as Internet connectivity is restored, saving users from re-entering their credentials and re-creating the VPN connection.
BranchCache™, which enables updated content from file and Web servers on a wide area network (WAN) to be cached on computers at a local branch office, increasing application response time and reducing WAN traffic.
URL-based Quality of Service (QoS), which enables you to assign a priority level to traffic based on the URL from which the traffic originates.
Mobile broadband device support, which provides a driver-based model for devices that are used to access a mobile broadband network.
Multiple active firewall profiles, which enable the firewall rules most appropriate for each network adapter based on the network to which it is connected.
Who will be interested in these features?
The following groups might be interested in these features:
IT managers
System architects and administrators
Network architects and administrators
Security architects and administrators
Application architects and administrators
Web architects and administrators
What are the benefits of the new biometric features?
The new biometric features provide a consistent way to implement fingerprint biometric–enabled applications and manage fingerprint biometric devices on stand-alone computers or on a network. The Windows Biometric Framework makes biometric devices easier for users and for administrators to configure and control on a local computer or in a domain.
What's the impact of these changes on biometrics?
The introduction of the Windows Biometric Framework allows the integration of fingerprint biometric devices in Windows. It offers a consistent user experience for logging on to Windows and performing UAC elevation. In addition, it provides a common set of discovery and integration points that offers a more consistent user experience across devices and applications. The Windows Biometric Framework also includes management functions that allow administrators to control the deployment of biometric fingerprint devices in the enterprise.
What's the impact of these changes on biometrics?
The introduction of the Windows Biometric Framework allows the integration of fingerprint biometric devices in Windows. It offers a consistent user experience for logging on to Windows and performing UAC elevation. In addition, it provides a common set of discovery and integration points that offers a more consistent user experience across devices and applications. The Windows Biometric Framework also includes management functions that allow administrators to control the deployment of biometric fingerprint devices in the enterprise.
What's New in Biometrics
For enhanced convenience, Windows® 7 enables administrators and users to use fingerprint biometric devices to log on to computers, grant elevation privileges through User Account Control (UAC), and perform basic management of the fingerprint devices. Administrators can manage fingerprint biometric devices in Group Policy settings by enabling, limiting, or blocking their use.
What's new in biometrics?
A growing number of computers, particularly portable computers, include embedded fingerprint readers. Fingerprint readers can be used for identification and authentication of users in Windows. Until now, there has been no standard support for biometric devices or for biometric-enabled applications in Windows. Computer manufacturers had to provide software to support biometric devices in their products. This made it more difficult for users to use the devices and administrators to manage the use of biometric devices.
Windows 7 includes the Windows Biometric Framework that exposes fingerprint readers and other biometric devices to higher-level applications in a uniform way, and offers a consistent user experience for discovering and launching fingerprint applications. It does this by providing the following:
A Biometric Devices Control Panel item that allows users to control the availability of biometric devices and whether they can be used to log on to a local computer or domain.
Device Manager support for managing drivers for biometric devices.
Credential provider support to enable and configure the use of biometric data to log on to a local computer and perform UAC elevation.
Group Policy settings to enable, disable, or limit the use of biometric data for a local computer or domain. Group Policy settings can also prevent installation of biometric device driver software or force the biometric device driver software to be uninstalled.
Biometric device driver software available from Windows Update.
Who will want to use biometric devices?
Fingerprint biometric devices offer a convenient way for users to log on to computers and grant elevation through UAC.
What's new in biometrics?
A growing number of computers, particularly portable computers, include embedded fingerprint readers. Fingerprint readers can be used for identification and authentication of users in Windows. Until now, there has been no standard support for biometric devices or for biometric-enabled applications in Windows. Computer manufacturers had to provide software to support biometric devices in their products. This made it more difficult for users to use the devices and administrators to manage the use of biometric devices.
Windows 7 includes the Windows Biometric Framework that exposes fingerprint readers and other biometric devices to higher-level applications in a uniform way, and offers a consistent user experience for discovering and launching fingerprint applications. It does this by providing the following:
A Biometric Devices Control Panel item that allows users to control the availability of biometric devices and whether they can be used to log on to a local computer or domain.
Device Manager support for managing drivers for biometric devices.
Credential provider support to enable and configure the use of biometric data to log on to a local computer and perform UAC elevation.
Group Policy settings to enable, disable, or limit the use of biometric data for a local computer or domain. Group Policy settings can also prevent installation of biometric device driver software or force the biometric device driver software to be uninstalled.
Biometric device driver software available from Windows Update.
Who will want to use biometric devices?
Fingerprint biometric devices offer a convenient way for users to log on to computers and grant elevation through UAC.
Who will be interested in this feature?
AppLocker can help organizations that want to:
Limit the number and type of files that are allowed to run by preventing unlicensed or malicious software from running and by restricting the ActiveX controls that are installed.
Reduce the total cost of ownership by ensuring that workstations are homogeneous across their enterprise and that users are running only the software and applications that are approved by the enterprise.
Reduce the possibility of information leaks from unauthorized software.
AppLocker may also be of interest to organizations that currently use Group Policy objects (GPOs) to manage Windows-based computers or have per-user application installations.
Are there any special considerations?
By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.
Expect an increase in the number of help desk calls initially because of blocked applications. As users begin to understand that they cannot run applications that are not allowed, the help desk calls may decrease.
There is minimal performance degradation because of the runtime checks.
Because AppLocker is similar to the Group Policy mechanism, administrators should understand Group Policy creation and deployment.
AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows 7.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application is opened and runs normally, and information about that application is added to the AppLocker event log.
Which editions include AppLocker?
AppLocker is available in all editions of Windows Server 2008 R2 and in some editions of Windows 7.
Note
At least one Windows Server 2008 R2 domain controller is required to host the AppLocker rules.
Limit the number and type of files that are allowed to run by preventing unlicensed or malicious software from running and by restricting the ActiveX controls that are installed.
Reduce the total cost of ownership by ensuring that workstations are homogeneous across their enterprise and that users are running only the software and applications that are approved by the enterprise.
Reduce the possibility of information leaks from unauthorized software.
AppLocker may also be of interest to organizations that currently use Group Policy objects (GPOs) to manage Windows-based computers or have per-user application installations.
Are there any special considerations?
By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.
Expect an increase in the number of help desk calls initially because of blocked applications. As users begin to understand that they cannot run applications that are not allowed, the help desk calls may decrease.
There is minimal performance degradation because of the runtime checks.
Because AppLocker is similar to the Group Policy mechanism, administrators should understand Group Policy creation and deployment.
AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows 7.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application is opened and runs normally, and information about that application is added to the AppLocker event log.
Which editions include AppLocker?
AppLocker is available in all editions of Windows Server 2008 R2 and in some editions of Windows 7.
Note
At least one Windows Server 2008 R2 domain controller is required to host the AppLocker rules.
What's New in AppLocker
What are the major changes?
Windows AppLocker is a new feature in Windows® 7 and Windows Server® 2008 R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs.
What does AppLocker do?
Using AppLocker, you can:
Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher and file version attributes that are persistent through updates, or you can create rules that target a specific version of a file.
AppLocker rules specify which files are allowed to run. Files that are not included in rules are not allowed to run.
Assign a rule to a security group or an individual user.
Note
You cannot assign AppLocker rules to Internet zones, individual computers, or registry paths.
Create exceptions for .exe files. For example, you can create a rule that allows all Windows processes to run except Regedit.exe.
Use audit-only mode to identify files that would not be allowed to run if the policy were in effect.
Import and export rules.
Windows AppLocker is a new feature in Windows® 7 and Windows Server® 2008 R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs.
What does AppLocker do?
Using AppLocker, you can:
Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher and file version attributes that are persistent through updates, or you can create rules that target a specific version of a file.
AppLocker rules specify which files are allowed to run. Files that are not included in rules are not allowed to run.
Assign a rule to a security group or an individual user.
Note
You cannot assign AppLocker rules to Internet zones, individual computers, or registry paths.
Create exceptions for .exe files. For example, you can create a rule that allows all Windows processes to run except Regedit.exe.
Use audit-only mode to identify files that would not be allowed to run if the policy were in effect.
Import and export rules.
Other new and changed features in Windows 7
The following topics provide additional information about new and changed features in Windows 7:
What's New in AppLocker
What's New in Biometrics
What's New in Group Policy
What's New in Handwriting Recognition
What's New in Networking
What's New in Service Accounts
What's New in Smart Cards
What's New in User Account Control
What's New in Virtual Hard Disks
What's New in Windows PowerShell
What's New in Windows Search, Browse, and Organization
What's New in AppLocker
What's New in Biometrics
What's New in Group Policy
What's New in Handwriting Recognition
What's New in Networking
What's New in Service Accounts
What's New in Smart Cards
What's New in User Account Control
What's New in Virtual Hard Disks
What's New in Windows PowerShell
What's New in Windows Search, Browse, and Organization
Streamline desktop management with the Microsoft Desktop Optimization Pack
Whether IT professionals manage and deploy desktop computers, portable computers, or virtual environments, Windows 7 makes the job easier while enabling them to use the same tools and skills they use with Windows Vista. Advanced image management and deployment tools enable IT professionals to add, remove, and report on drivers, language packs, and updates—and deploy those system images to user computers by using less network bandwidth. New scripting and automation capabilities based on Windows PowerShell™ 2.0 reduce the costs of managing and troubleshooting computers. For IT professionals that use client virtualization, Windows 7 helps them more easily maintain virtual machine images and provide a richer user experience over remote connections. The Microsoft Desktop Optimization Pack, which is updated at least once a year, completes the enterprise experience. By using Windows 7 and the Microsoft Desktop Optimization Pack together, enterprises can optimize their desktop infrastructure and gain the flexibility to address their unique business needs. Companies can prepare to deploy Windows 7 as soon as possible by deploying Windows Vista and the Microsoft Desktop Optimization Pack today. Customers already running Windows Vista will find that Windows 7 delivers strong compatibility with Windows Vista software and devices, and that Windows 7 can be managed with many of the same tools they use to manage Windows Vista. Companies using the Microsoft Desktop Optimization Pack will have an even greater advantage when moving to Windows 7 because they can more easily migrate settings and applications.
What's New in Windows 7 for IT Pros (Beta)
Users are becoming increasingly computer-savvy, and they expect more from the technology they use at work. They expect to be able to work from home, from branch offices, and on the road, without a decrease in productivity. As the needs of users have changed, the demands on IT professionals have increased. Today, IT professionals are being asked to provide more capabilities and support greater flexibility, while continuing to minimize cost and security risks. With Windows® 7, IT professionals can meet the diverse needs of their users in a way that is more manageable. Businesses can enable employees to work more productively at their desks, at home, on the road, or in a branch office. Security and control are enhanced, reducing the risk associated with data on lost computers or external hard drives. Desktop management is streamlined, so it takes less work to deploy Windows 7 and keep it running smoothly. And because Windows 7 is based on the Windows Vista® foundation, companies that have already deployed Windows Vista will find that Windows 7 is highly compatible with existing hardware, software, and tools.
What can IT pros do with Windows 7?
Windows 7 contains many new and changed features of interest to IT professionals. Below are some of the key management tasks that can be improved or enabled with Windows 7.
Make end users productive anywhere
Windows 7 enables end users to be productive no matter where they are or where the data they need resides. They can work faster and with fewer interruptions because Windows 7 improves performance and reliability. They will not have to look in multiple places to find information because a single search can examine a SharePoint site on a company intranet as well as files on their computers. With DirectAccess, mobile users will be able to simply and securely access corporate resources when out of the office. Users in branch offices with slow connections can be more productive as well by using BranchCache™ in Windows 7 to cache frequently accessed files and Web pages.
Enhance security and control
Windows 7 builds on the security foundation of Windows Vista, delivering increased flexibility in securing computers and data. In addition to protecting internal computer hard disks, BitLocker™ Drive Encryption can now encrypt external USB drives and hard disks—and provide recovery keys so that the data is accessible when needed. For enterprises that demand the highest levels of compliance, IT professionals can use new application-blocking tools to dictate which applications are allowed to run on end user PCs, providing yet another way to limit the risk of malicious software.
What can IT pros do with Windows 7?
Windows 7 contains many new and changed features of interest to IT professionals. Below are some of the key management tasks that can be improved or enabled with Windows 7.
Make end users productive anywhere
Windows 7 enables end users to be productive no matter where they are or where the data they need resides. They can work faster and with fewer interruptions because Windows 7 improves performance and reliability. They will not have to look in multiple places to find information because a single search can examine a SharePoint site on a company intranet as well as files on their computers. With DirectAccess, mobile users will be able to simply and securely access corporate resources when out of the office. Users in branch offices with slow connections can be more productive as well by using BranchCache™ in Windows 7 to cache frequently accessed files and Web pages.
Enhance security and control
Windows 7 builds on the security foundation of Windows Vista, delivering increased flexibility in securing computers and data. In addition to protecting internal computer hard disks, BitLocker™ Drive Encryption can now encrypt external USB drives and hard disks—and provide recovery keys so that the data is accessible when needed. For enterprises that demand the highest levels of compliance, IT professionals can use new application-blocking tools to dictate which applications are allowed to run on end user PCs, providing yet another way to limit the risk of malicious software.
Subscribe to:
Posts (Atom)
