Group Managed Service Accounts
Managed Service Accounts (MSAs) were introduced in Windows Server 2008 R2. Once these new service accounts are created in AD, they can be attached to particular computers and services to become self-maintaining service accounts, which have extremely long passwords that automatically reset every 30 days (along with machine password changes).
Windows Server 2012 improves MSAs in several ways. Windows 2012 debuts Group Managed Service Accounts (gMSAs), which introduce a new type of security principal. Using them, a single gMSA can be shared across multiple computers. Previously it was one MSA per computer. MSAs and gMSAs require a schema update, and gMSAs only work on Windows 8 and Windows Server 2012 services. MSAs now also have some support for clustering and load balancing.
Internet Information Service 8
Internet Information Service (IIS) 8 contains many new security improvements, especially around automated security responses and multitenancy protections. Dynamic IP Restrictions is a feature that allows IIS to automatically block abusive IP addresses based upon predefined conditions, such as concurrency or frequency of HTTP requests. This applies to FTP logons as well. In IIS 7, IP address restriction was static and manual. IIS 8 also works harder to sandbox individual applications into multitenancy security sandboxes.
GUI-based, fine-grained password policies
In Windows Server 2003 and before, password policy could only be set locally and at the domain level. This was a severe pain if you wanted to set one password policy for one group of users and another for other users -- for example, to require that Domain Admins use 15-character passwords, while regular user accounts needed only 12 characters.
Windows Server 2008 introduced FGPP (Fine Grained Password Policy), which allowed the creation and enforcement of different password policies below the domain level. Unfortunately, in Windows Server 2008, this could only be accomplished using special Active Directory editing tools and PowerShell.
Windows Server 2012 offers its own FGPP GUI under the new Active Directory Administrative Center, which also houses the Active Directory Recycle Bin and the Active Directory PowerShell Viewer; it essentially replaces Active Directory Users and Computers. It makes creating FGPP a piece of cake -- and it's easier to work with, which means more companies will use it. You can also right-click a user and find the resulting password policy (called Resultant Password Settings), which is great if multiple FGPP policies have been applied to a single user.
There are many other features sure to delight security administrators, including PowerShell 3.0 (with more than 2,000 cmdlets), the ability to load and unload a GUI on server core versions, and multiple, significant improvements in availability and clustering.
All told, Windows Server 2012 has hundreds of new security features, far more than can be covered here. It's a whale of an upgrade across the board -- and it takes security to the next level.
This story, "Windows Server 2012 doubles down on security," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.