Windows Server 2012 doubles down on security

From UEFI to full-disk encryption to improvements in IIS, Windows Server 2012's security features alone provide reason enough to upgrade

With the shift to the new Metro user interface, a lot of people are wondering if Windows 8 is right for them. Those considering an upgrade to Windows Server 2012 should have no such hesitation. As InfoWorld's Oliver Rist said in June: "When Microsoft calls this a 'major' release, the company isn't kidding. Windows Server 2012 really does change the game, and that's across all roles: file sharing, identity, storage, virtual desktop infrastructure, and certainly server virtualization and cloud."

I would add that security improvements alone may justify the purchase for many enterprises. Here's a quick walkthrough of the significant new security features found in Windows Server 2012.

[ Also on InfoWorld: Review: Weighing Windows Server 2012 | 7 ways Windows Server 2012 pays for itself | Get ready for Windows 8 with the Windows 8 Deep Dive PDF special report | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

True UEFI and Secure Boot
Like Windows 8, Windows Server 2012 has replaced the traditional ROM-BIOS with the new and improved industry boot standard known as UEFI (Unified Extensible Firmware Interface). Microsoft is using the security-hardened 2.3.1 version, which prevents boot code updates without appropriate digital certificates and signatures. Windows 8 and Windows Server 2012 go further and pick up the trustworthy and verified boot process, extending it to the entire Windows OS boot code with a feature known as Secure Boot. Taken together, UEFI and Secure Boot significantly reduce the risk of malicious code, such as rootkits and boot viruses, from taking control of the operating system.

Data center-ready BitLocker drive encryption
BitLocker is finally usable on server systems. Prior to Windows Server 2012, implementing BitLocker on a server meant using either Trusted Platform Module (TPM) chip-only mode, which is the weakest protector in the many offered, or required that a server administrator be present for each boot with a PIN, password, or USB key. That doesn't work so well in a lights-out data center.

A few new BitLocker protectors were added in Windows Server 2012 (and Windows 8) to allow server administrators to enable disk encryption without all the hassles. In particular, many administrators will love the network protector mode, which will automatically unlock the encrypted disk as long as the server is network connected and joined to its normal Active Directory (AD) domain.

But enhanced BitLocker goes even further, with support for hardware encrypted disks (known as SED and ED disks), AD account or group protectors, and cluster-aware encryption that allow the disk to properly failover and be unlocked to any member computer of the same cluster. With these new enterprise-intended features, Windows Server 2012 will be far easier to encrypt with BitLocker than its predecessor.

Early Launch Anti-Malware
Another Windows Server 2012 feature shared with Windows 8, ELAM (Early Launch Anti-Malware) ensures that only known, digitally signed antimalware programs can load right after Secure Boot finishes (although it does not require UEFI or Secure Boot). This way, legitimate antimalware programs can get into memory and start doing their job before fake antivirus programs or other malicious code. Prior to ELAM, a malicious program could do "interrupt or vector chaining" and load before other legitimate programs, thus allowing them to lie to the operating system or antimalware programs.

1 2 3 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies