Introduction:
Windows Server 2012 Active Directory 2012 introduced some new features some of which are quite beneficial from a security standpoint. Dynamic Access Control and Flexible Authentication Secure Tunneling (FAST) are probably the most fundamental changes that Microsoft integrated in Server 2012 from a security view.
Dynamic Access Control basically enables system administrators to apply access-control restrictions and assign permissions based on a well-defined set of rules that includes resource sensitivity, user roles, and the accessing device's configuration. For example, user permissions may be different depending on whether they are accessing resources from their office workstation or remotely via a virtual private network (VPN). When dynamic access control is not used, users can remotely access restricted resources that are risky since some critical information should only be accessed using company machines. When dynamic access control is used, user permissions are dynamically changed without requiring administrator intervention when the user’s role, job or location changes.
Flexible Authentication Secure Tunneling (FAST) is included in the Kerberos pre-authentication framework that provides a secure channel between the client and the Key Distribution Centre (KDC). When FAST is implemented, it is easy to utilize different key management systems, chain multiple authentication techniques, and support for new key agreement algorithms is added. If FAST is not implemented, brute force attacks on the reply key are possible.
In terms of network efficiency and cost effectiveness, some refreshed features from previous versions of Windows Server standout. Two of these features include Domain joining through DirectAccess and Group Managed Service Accounts (GMSAs).
Domain Join via DirectAccess enables users to remotely access shared resources, applications, and websites via an intranet without connecting to a VPN. DirectAccess enables remote users to have more secure access with better performance. When DirectAccess was implemented in Server 2008, it relied heavily on IPv6 and could not be virtualized. However, DirectAccess in Server 2012 works well with IPv4 with no need for conversion technologies that slowed it down. DirectAccess can also be virtualized on a Hyper-V virtualization machine.
Group Managed Service Accounts (GMSAs) provide automated password management, delegation of management to other administrators and simplified SPN management over multiple servers. When using GMSAs, there is no need for administrators to manage synchronization of passwords between service instances. In this case, GMSAs support hosts that have been offline for extended periods, and host management for hosts running different instances of the same service. This ensures network performance and efficiency since one can deploy a server farm with a single identity which client computers can use for authentication without requiring knowledge of the service instance they are connecting.
References:
Redmondmag.com,. (2012). Quick Guide: What's New in Windows Server 2012 Active Directory -- Redmondmag.com. Retrieved 15 November 2014, from http://redmondmag.com/articles/2012/07/01/whats-new-in-windows-server-2012-active-directory.aspx
Technet.microsoft.com,. (2014). Dynamic Access Control Overview. Retrieved 15 November 2014, from http://technet.microsoft.com/en-us/library/dn408191.aspx
Technet.microsoft.com,. (2014). Group Managed Service Accounts Overview. Retrieved 15 November 2014, from http://technet.microsoft.com/en-us/library/hh831782.aspx
Technet.microsoft.com,. (2014). What's New in Active Directory Domain Services (AD DS). Retrieved 15 November 2014, from http://technet.microsoft.com/en-us/library/hh831477.aspx#BKMK_flexible_auth_secure_tunn
