Security and Protection
Updated: April 23, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
This collection contains detailed information about security technologies in Windows Server 2008 and Windows Server 2008 R2.
AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that provides access control for applications.
Authorization Manager is a Microsoft Management Console (MMC) snap-in that can help provide effective control of access to resources.
BitLocker allows you to encrypt all data stored on the Windows operating system volume and configured data volumes, and by using a Trusted Platform Module (TPM), it can also help ensure the integrity of early startup components.
Encrypting File System (EFS) is a core encryption technology that enables you to encrypt files stored on NTFS volumes.
Kerberos is an authentication mechanism used to verify the identity of a user or host.
Two new types of service accounts are available in Windows Server 2008 R2 and Windows 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as SQL Server and IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that can use a computer's credentials to access network resources.
Security auditing is one of the most powerful tools to help maintain the security of your system. Auditing should identify attacks, either successful or not, that pose a threat to your network, or attacks against resources that you have determined to be valuable in your risk assessment.
Security Configuration Wizard (SCW) is an attack-surface reduction tool that guides administrators in creating security policies based on the minimum functionality required for a server's role or roles.
Security policy is the configurable set of rules that the operating system follows when determining the permissions to grant in response to a request for access to resources.
Smart cards are a tamper-resistant and portable way to provide security solutions for tasks such as client authentication, logging on to domains, code signing, and securing e-mail.
User Account Control (UAC) is a security component that allows an administrator to enter credentials during a non-administrator's user session to perform occasional administrative tasks. UAC also can also require administrators to specifically approve administrative actions or applications before they are allowed to run.
The Windows operating system implements a default set of authentication protocols, including Negotiate, Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture. In addition, some protocols are combined into authentication packages. These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner.
Similar technologies are collected in this section and include Passwords, Password Reset Disk, Account Lockout Policy, System Key Utility, and Cached and Stored Credentials.