There are plenty to choose from including the following:
- Read Only Domain Controller
- BitLocker on the server
- Active Directory Rights Management
- Active Directory Certificate Services
- Integrated firewall with IPSec task based interface
- Architectural improvements
- Increased scope of Active Directory Group Policy
My personal favourite new security feature is Network Access Protection(NAP). This technology can fundamentally change the threat landscape experienced by managed machines on your network as you can prevent machines that fail to meet policy from connecting to those that are compliant – it’s a fundamental feature of the entire network infrastructure and is available on clients from XP SP3 (due soon) to Vista and Server 2008 – you don’t have to change your entire infrastructure to take advantage of NAP.
NAP can enforce policy compliance for the following points of entry:
- Remote Access (VPN or dial up)
- Port based authentication – NAP can integrate natively with CISCO’s Network Admission Control (NAC).
One of the best aspects of NAP is the ability to automatically bring clients into compliance without user intervention. You can also define policy for machines that are not currently NAP aware and enable them to seamlessly access corporate resources. I expect that the open source community may provide NAP support at some point too.
There are a wide range of options for remediation including System Centre Configuration Manager, Microsoft Forefront. There are a very large number of third party security products that integrate too both for assessment and remediation.
I strongly encourage you to deploy NAP in “reporting mode” in the first instance to access how many client connection requests would be declined due to failure to comply with the stated policy – once a high enough percentage of your machines comply then consider moving into enforcement mode.
I will explain much more soon.