9 identity and access

Hello. Today I’d like to talk to you about how Windows Server 2012 helps IT professionals

manage identity and access.

Page 2

8/29/2012

Page 4

8/29/2012

Cloud and mobility are two major trends that have started to affect the IT landscape, in

general, and the datacenter, in particular. There are four key IT questions that customers claim

are keeping them up at night:

How do I embrace the cloud?

With a private cloud, you get many of the benefits of public cloud computing—including self-

service, scalability, and elasticity—with the additional control and customization available from

dedicated resources. Microsoft customers can build a private cloud today with Windows Server

2008 R2, Microsoft Hyper-V, and Microsoft System Center, but there are many questions

about how to best scale and secure workloads on private clouds and how to cost effectively

build private clouds, offer cloud services, and connect more securely to cloud services.

How do I increase the efficiency in my datacenter?

Whether you are building your own private cloud, are in the business of offering cloud services,

or simply want to improve the operations of your traditional datacenter, lowering infrastructure

costs and operating expenses while increasing overall availability of your production systems

is critical. Microsoft understands that efficiency built into your server platform and good

management of your cloud and datacenter infrastructure are important to achieving operational

excellence.

How do I deliver next-generation applications?

As the interest in cloud computing and providing web-based IT services grows, our customers

tell us that they need a scalable web platform and the ability to build, deploy, and support cloud

applications that can run on-premises or in the cloud. They also want to be able to use a broad

range of tools and frameworks for their next-generation applications, including open source

Page 5

8/29/2012

tools.

How do I enable modern work styles?

As the lines between people’s lives and their work blur, their personalities and individual work

styles have an increasing impact on how they get their work done—and which technologies

they prefer to use. As a result, people increasingly want a say in what technologies they use to

complete work. This trend is called “Consumerization of IT.” As an example of

consumerization, more and more people are bringing and using their own PCs, slates, and

phones to work. Consumerization is great as it unleashes people’s productivity, passion,

innovation, and competitive advantage. We at Microsoft believe that there is power in saying

“yes” to people and their technology requests in a responsible way. Our goal at Microsoft is to

partner with you in IT, to help you embrace these trends while ensuring that the environment is

more secure and better managed.

5

Optimize your IT for the cloud with Windows Server 2012

When you optimize your IT for the cloud with Windows Server 2012, you take advantage of the

skills and investment you’ve already made in building a familiar and consistent platform.

Windows Server 2012 builds on that familiarity. With Windows Server 2012, you gain all the

Microsoft experience behind building and operating private and public clouds, delivered as a

dynamic, available, and cost-effective server platform.

Windows Server 2012 delivers value in four key ways:

1. It takes you beyond virtualization. Windows Server 2012 offers a dynamic, multitenant

infrastructure that goes beyond virtualization technology to a complete platform for building

a private cloud.

2. It delivers the power of many servers, with the simplicity of one. Windows Server 2012

offers you excellent economics by integrating a highly available and easy-to-manage

multiple-server platform.

3. It opens the door to every app on any cloud. Windows Server 2012 is a broad, scalable,

and elastic web and application platform that gives you the flexibility to build and deploy

applications on-premises, in the cloud, and in a hybrid environment through a consistent

set of tools and frameworks.

4. It enables the modern workstyle. Windows Server 2012 empowers IT to provide users

with flexible access to data and applications anywhere, on any device, and while

simplifying management and maintaining security, control, and compliance.

Page 6

8/29/2012

With Windows Server 2012, Microsoft has made significant investments in each of these four areas that allow

customers to take their datacenter operations to the next level. Now, let’s take a look how Windows Server 2012

helps customers to:

• Build and deploy a modern datacenter infrastructure

• Build and run modern applications

• Enable modern work styles for their end users

6

As IT organizations evolve to meet new challenges, identity and access solutions within

Windows Server 2012 have been enhanced to help IT build solutions to support the Modern

Workstyle.

Page 7

8/29/2012

Page 8

8/29/2012

Page 9

8/29/2012

Page 10

8/29/2012

Windows Server 2012 Dynamic Access Control automates information governance on file

servers to satisfy business and regulatory requirements.

Using the file classification technology in DAC, organizations can identify or "tag“ files on their

file servers. Windows Server 2012 builds on this capability to: 1) control access to tagged files

through centralized access policies, 2) audit and report on events concerning access or

attempted access, and 3) use RMS to encrypt Office documents so that they are protected

even if they leave the file server.

Windows Server 2012 includes a feature set that allows IT administrators to:

• Allow content owners to tag their information, rather than restricting this ability to

administrators.

• Apply a central access policy to information in tagged files.

• Provide access denied remediation when users cannot access information.

• Configure central audit policies to log access to information so that it can be analyzed for

auditing and forensic purposes.

• Further protect specific sensitive information by automatically applying RMS protection.

The following slides describe these capabilities in more detail.

Page 11

8/29/2012

Tags identify files that are in need of protection and can be used to group files logically. In

Windows Server 2012, tags can be applied in one of four ways:

Location based. When a file is stored on a file server, it “inherits” the tags from its parent

folder.

Manually. Users and administrators can manually tag files.

Automatically. Files can be automatically tagged based on content or other characteristics.

Or by applications, which can use APIs to tag files that they manage.

The automatic file classification functionality is extremely useful for applying tags to large

amounts of existing information.

Page 12

8/29/2012

A significant part of the Dynamic Access Control story is the introduction of Claims to Active

Directory. In the past, authorization decisions have been made largely on a per-user basis, or

on the basis of group membership in AD. For Active Directory in Windows Server 2012, the

ability to issue ‘claims’ has added another option.

Based on user and device attributes within the directory, claims are created that become part

of the token that is passed to authorization sources – in the case of Dynamic Access Control,

this would be a file server. Now, access and authorization decisions can be also be made

based on values of properties within Active directory.

You’ll see these used as part of Central Access Rules, shown on the next slide

Page 13

8/29/2012

Now that we’ve tagged the files for classification, and issued claims as part of the logon

process, we can take those two factors, and construct central access rules that can be

distributed to organizational file servers for authorization decisions. These central access

policies for files allow organizations to centrally deploy and manage authorization policies that

include conditional expressions using user claims, device claims, and resource properties

(based on file classification).

A central policy rule has the following logical parts:

Applicability. This is a condition that defines which files the policy applies to,

such as those having high business value.

Access conditions. This is a list of one or more access control entries

(ACEs) that define who can access the data, such as allow read and write

access if the user has a high clearance level and their device is a managed

device.

Page 14

8/29/2012

Central access Rules can be combined into Central Access Policies, which are defined

and hosted in Active Directory, as shown here.

Central access policies act as security umbrellas that an organization applies across its

servers. These policies enhance (but do not replace) the local access policy – the

discretionary access control list (DACL) – that is applied to files and folders. For

example, if a local DACL on a file allows access to a specific user but a central policy

that is applied to the file restricts access to the same user, the user cannot gain access

to the file (and vice versa).

[more information]

Central access policies for files allow organizations to centrally deploy and manage

authorization policies that include conditional expressions using a combination of user

claims and device claims that are sourced from Active Directory attributes and resource

properties (file tags). Claims are assertions about the object with which they are

associated, and they can be combined in logical policies to enable fine-grained control

over arbitrarily-defined subsets of files. For example, for accessing high-business-

impact (HBI) data, a user must be a full-time employee, obtain access from a managed

device, and log on with a smart card.

The various organizational access policies are driven by both compliance and business

regulatory requirements. For example, if an organization has a business requirement to

restrict access to personally identifiable information (PII) in files to only the file owner

and members of the human resources (HR) department that are allowed to view PII

Page 15

8/29/2012

information, this is, in essence, an organization-wide policy that applies to PII files

wherever they are on the file servers across the organization.

15

This diagram shows the central access policy structure and the interrelationships between:

-Active Directory, where policies are defined and stored,

-The file server, where policies are applied,

-The user, who is attempting to gain access to information on the file server.

[read slide if necessary]

Page 16

8/29/2012

Central access policies give you tremendous flexibility in controlling access to your

organization’s data. Examples of access policies include:

-Organization-wide authorization policy. Most commonly initiated from the information

security office, this policy is driven from compliance or a high-level organization requirement

and would be relevant across the organization. For example, HBI files should be accessible to

only full-time employees.

-Departmental authorization policy. Each department in an organization has some special

data-handling requirements that they want to enforce. For example, the finance department

might want to limit access to finance servers to the finance employees.

-Specific data-management policy. This policy usually relates to compliance and business

requirements and is targeted at protecting the correct access to information that is being

managed, such as preventing modification or deletion of files that are under retention or files

that are under electronic discovery (eDiscovery).

-Need-to-know policy. This is a catch-all authorization policy type and is typically used in

conjunction with the policy types mentioned earlier. Examples include:

•Vendors should be able to access and edit only files that pertain to a project that they

are working on.

•In financial institutions, information walls are important, so that analysts do not access

brokerage information and brokers do not access analysis information.

Page 17

8/29/2012

Of course, denying access is only part of an effective central access control strategy, and sometimes access must be granted after initially being denied. In this case, the Help desk or file server administrator must handle each exception manually—a time-consuming task. To mitigate this problem, assisted access-denied remediation in Windows Server 2012 reduces the need for manual intervention by providing three different processes for granting users access to resources:

Windows Server 2012 access-denied remediation provides three different processes to grant users access to the resources they need:

-Self-remediation. [more information] If users can determine what the issue is and remediate the problem so that they can get the requested access, Windows Server 2012 provides a general “access denied” message authored by the server administrator for users so that they can try to self-remediate access-denied cases. This message can also include URLs to direct the users to self-remediation websites provided by the organization.

-Remediation by the file owner. [more information] Windows Server 2012 allows administrators to define share owners in the form of a distribution list so that users can directly connect with the file owners to request access. This is similar to the Microsoft SharePoint model where the data owner gets a request from the user to gain access to the file. In the file server case, the remediation can range from adding the user rights to the appropriate file or directory to dealing with share permissions.

-Remediation by Help desk and File Server administrators. [more information] This happens when the user cannot self-remediate the issue and the data owner cannot help. This is the most costly and time-consuming remediation. Windows Server 2012 provides a user interface to view the effective permissions for users on a file or folder so that it is easier to troubleshoot access issues.

Access denied remediation provides a user access to a file when it has been initially denied:

1. The user attempts to read a file.

2. The server returns an “access denied” error message because the user has not been assigned the appropriate claims.

3. On a compute r running the Windows 8 Consumer Preview operating system, Windows retrieves the access information from the File Server Resource Manager on the file server and presents a message with the access remediation options, which may include a link for requesting access.

4. The user requests access to the file.

5. When the user has satisfied the access requirements (e.g. signs an NDA or provides other authentication) the user’s claims are updated and the user can access the file.

Page 18

8/29/2012

Next up is security auditing.

Auditing is one of the most powerful tools to help maintain the security of an enterprise. One of

the key goals of security audits is regulatory compliance. For example, industry standards such

as Sarbanes Oxley (SOX), HIPAA, and Payment Card Industry (PCI) regulations require

enterprises to follow a strict set of rules related to data security and privacy.

Security audits help establish the presence or absence of such policies and thereby prove

compliance or noncompliance with these standards. Additionally, security audits help detect

anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible

behavior by creating a trail of user activity that can be used for forensic analysis.

Using Dynamic Access Control, you can establish organization-specific audit policies, which,

like the central access control policies, are stored in Active Directory.

This diagram shows the file access auditing workflow and the interrelationships between:

-Active Directory, where claim types and resource properties are created,

-Group Policy, where the audit policies are defined and stored,

-The file server, where policies and resource properties are applied,

-And the user, who is attempting to access information on the file server.

Page 19

8/29/2012

[read slide if necessary]

19

Using Windows Server 2012, you can author audit policies by using claims and resource

properties – similar to the method used for Central Access Rules. In fact, the methodology is

essentially the same – the primary difference is whether the rule is in audit mode, or affecting

permissions in real-time . This leads to richer, more targeted, and easy-to-manage audit

policies. It enables scenarios that until now were either impossible or too difficult to do.

This slide shows examples of audit policies that administrators can author. [Refer to policies on

slide]

These policies help regulate the volume of audit events and limit them to only the most

relevant data or users.

Page 20

8/29/2012

And finally, there is new functionality related to encryption.

There are numerous business reasons for encrypting business sensitive files, but encrypting

all information is expensive and might impair business productivity. This means organizations

tend to have different approaches and priorities for encrypting their information.

To address this issue, Windows Server 2012 provides the ability to automatically encrypt

sensitive Microsoft Office files based on their classification. This is done through file

management tasks that invoke AD RMS protection for sensitive Office documents a few

seconds after the file is identified as being a sensitive file on the file server.

RMS encryption provides another layer of protection for files. Even if a person with access to a

sensitive file inadvertently sends that file out through email, the file is still protected by the

RMS encryption. Any user who wants to access the file must first authenticate himself to an

RMS server to receive the decryption key.

This scenario requires a previously deployed implementation of RMS.

[Walk through scenario above]

Page 21

8/29/2012

Dynamic Access Control in Windows Server 2012 provides new ways for organizations

to control access to information and achieve regulatory compliance. Organizations can

classify unstructured data on their file servers and then apply information governance

based on this classification by using next-generation access and auditing controls as

well as classification-based encryption.

• Identify data – Automatic and manual classification of files can be applied to tag data

in file servers across the organization

• Control access to files - Central access policies enable organizations to apply safety

net policies for information governance

• Audit access to files - Central audit policies for compliance reporting and forensic

analysis.

• Apply RMS encryption - Automatic Rights Management Services (RMS) encryption

for sensitive Office documents so that you can reduce information leakage

Page 22

8/29/2012

Populate the demo title depending upon which demo you plan to deliver. If you don’t plan to

deliver demos, please hide this slide.

Click through demos are (or will be) located at “\\scdemostore01\demostore\Windows Server

2012\WS 2012 Demo Series\Click Thru Demos\Identity and Access

Demo environment build instructions are located here: \\scdemostore01\demostore\Windows

Server 2012\WS 2012 Demo Series\Demo Builds

Page 23

8/29/2012

Page 24

8/29/2012

Virtual machines can be rolled back to a previous state when snapshots are applied, but

domain controller clocks assume that time always goes forward. If an administrator

inadvertently applies a snapshot to a virtual domain controller, it can cause the virtual domain

controller to create security principals with the same time stamp as ones that already exist in

the domain – in other words, duplicates. This can also happen if a virtual domain controller is

copied within the domain.

In Windows Server 2012, a virtual domain controller is able to detect when snapshots are

applied or a virtual machine is copied, because of a unique identifier exposed by the hypervisor

called the virtual machine GenerationID. The virtual machine GenerationID changes whenever

the virtual machine experiences an event that affects its position in time. The virtual machine

GenerationID is exposed to the virtual machine’s address space within its BIOS and made

available to its operating system and applications through a Windows Server 2012 driver.

During boot and before completing any transaction, a Windows Server 2012 virtual domain

controller compares the current value of the virtual machine GenerationID against the value

that it stored in the directory. A mismatch is interpreted as a “rollback” event, causing the

domain controller to converge with other domain controllers, preventing it from creating

duplicate security principals.

For Windows Server 2012 virtual domain controllers to gain this extra level of protection, the

virtual domain controller must be hosted on a virtual machine GenerationID–aware hypervisor

such as Windows Server 2012 Hyper-V.

Page 25

8/29/2012

Many of the domain controllers in the same domain/forest are virtually identical; thus virtual domain controllers are good candidates for cloning. Nevertheless, up to now the process of deploying a virtual domain controller has involved many redundant steps:

1. Preparation and deployment of the sysprep’d server image.

2. Manually promoting a domain controller in one of the following ways:

Over-the-wire. This can be time-consuming, depending upon size of directory.

Install-from-media (IFM). Media preparation and copying adds time and complexity.

3. Performing post-deployment configuration steps where necessary.

With Windows Server 2012 this has changed and virtual domain controllers can be cloned. Using the new domain controller deployment wizard in Server Manager, you can promote a single virtual domain controller and then rapidly deploy all additional virtual domain controllers, within the same domain, through cloning.

[More info]

The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD DS, and creating a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on) or can be left empty, allowing the system to automatically fill in the blanks. This dramatically reduces the number of steps and time involved by eliminating repetitive deployment tasks and also allows you to fully deploy additional domain controllers that are authorized and configured for cloning by the Active Directory domain administrator.

Page 26

8/29/2012

Adding replica domain controllers running newer versions of the Windows Server

operating system has proven to be:

-Time consuming

-Error-prone

-Complex

For example, in the past, IT pros were required to:

-Obtain the correct (new) version of the ADprep tools.

-Interactively log on at specific per-domain domain controllers using a variety of different

credentials.

-Run the preparation tool in the correct sequence with the correct switches.

-Wait for replication convergence between each step.

The AD DS deployment wizard in Windows Server 2012 integrates all the steps to deploy new

domain controllers into a single graphical interface. It requires only one enterprise-level

credential and can prepare the forest or domain by remotely targeting the appropriate

operations master role holders.

The wizard is integrated with Server Manager and built on Windows PowerShell. It can target

multiple servers and remotely deploy domain controllers, making the deployment experience

simpler, more consistent, and less time consuming.

Page 27

8/29/2012

The new domain controller promotion wizard:

• Adprep.exe is integrated into the Active

Directory domain services installation

process. This reduces the time required to

install AD DS and reduces the chances for

errors that might block domain controller

promotion.

• Supports remote deployment. The

wizard is built on Windows PowerShell and

can be executed remotely against multiple

servers. This greatly reduces the likelihood

of administrative errors and the overall time

Page 28

8/29/2012

required for installation, especially when

deploying multiple domain controllers

across global regions and domains.

• Validates environment-wide

prerequisites before beginning

deployment. Prerequisite validation is

performed within the wizard, so potential

errors are identified before deployment

begins. Error conditions can be corrected

before errors occur avoiding the concerns

resulting from a partially complete upgrade.

• Aligns with common

deployment

scenarios. Configuration pages

are grouped in a sequence that mirror the

most common promotion options. Related

options are grouped in fewer wizard pages.

This provides better context for making

installation choices and reduces the

number of steps and the time required to

complete domain controller deployment.

• Integrates with Server Manager and

28

uses Windows PowerShell for

command-line and UI consistency. The

wizard can export a Windows PowerShell script containing all of the options that were

specified during the deployment to simplify the process of automating subsequent

deployments with scripts.

28

In Windows Server 2012, the Windows PowerShell History viewer in Active Directory

Administrative Center allows an administrator to view the Windows PowerShell commands as

they execute in real time. For example, when you create a new fine-grained password policy,

Active Directory Administrative Center displays the equivalent Windows PowerShell

commands in the Windows PowerShell History viewer task pane. You can then use those

commands create a Windows PowerShell script for automating the task.

By combining scripts with scheduled tasks, you can entirely automate everyday administrative

duties that were once completed manually. The cmdlets and required syntax are created for

you, so very little experience with Windows PowerShell is required. Because the Windows

PowerShell commands are the same as the ones executed by the Active Directory

Administrative Center, they function as expected.

This means several distinct advantages, particularly for new users of PowerShell. [refer to

bullets on slide if needed]

Page 29

8/29/2012

Today, volume licensing for Windows and Office has several characteristics that place a

burden on administrators:

-It requires Key Management Service (KMS) servers.

-It requires RPC traffic on the network, even though some organizations want to turn off this

kind of traffic.

-It does not support any kind of authentication, because the EULA prohibits the customer

connecting the KMS server to any external network access.

-And it requires some training, because there is no GUI, and the turnkey solution only covers

about 90 percent of deployments.

All in all, the process is more complicated, restrictive and labor-intensive than it needs to be.

This situation is improved in Windows Server 2012 by leveraging Active Directory to help you

activate your clients.

• No additional machines required

• No remote procedure call (RPC) requirement, uses Lightweight

Directory Access Protocol (LDAP) exclusively

• Includes read-only domain controllers (RODCs)

Page 30

8/29/2012

Activating initial CSVLK (customer-specific volume license key)

requires the following:

– One-time contact with Microsoft Activation Services over the Internet (identical

to retail activation)

– Key entered using volume activation server role or using command line

– Repeat the activation process for additional forests up to 6 times by default

Activation object

• Represents proof-of-purchase

• Machines can be a member of any domain in the forest

30

Managed service accounts (MSAs) were a new type of account introduced in

Windows Server® 2008 R2 and Windows® 7. They eliminate the need for an

administrator to manually administer the service principal name SPN and

credentials for domain-level service accounts. Up until now, however, this

feature has not been available for server groups, such as clusters, that share

their identity and service principal name.

With group MSAs, services or service administrators do not need to manage

password synchronization between service instances. The group MSA will

support credential reset, hosts that are kept off-line for a period of time and

seamless management of member host group management for all instances of

a service.

[more info]

•Administrators can deploy single identity server farms/clusters on Windows

Server 2012 to which domain clients can authenticate without knowing which

instance of a server farm/cluster they are connecting.

Page 31

8/29/2012

•Administrators can configure services with Service Control Manager to use a

shared domain identity that automatically manages passwords

•Once the group MSA has been created, a domain administrator can delegate

management of the group MSA to a service administrator

•Organizations can deploy single identity server farms/clusters on servers

running Windows 8 Consumer Preview for identities in mixed mode domains

31

Active Directory Domain Services in Windows Server 2012 reduces the time requirements and

complexities associated with deploying domain controllers, introduces safeguards that allow

domain controllers to gain an extra level of protection in virtualized environments, provides a

simplified, more intuitive, and more consistent management experience via the UI and

Windows PowerShell, and expands Active Directory functionality to improve desktop activation

and add group service account management.

Page 32

8/29/2012







Page 33

8/29/2012

Page 34

8/29/2012

DirectAccess was introduced in Windows 7 and Windows Server 2008 R2 to enable remote

users to more securely access shared resources, websites, and applications on an internal

network without connecting to a VPN. DirectAccess establishes bi-directional connectivity with

an internal network every time a DirectAccess-enabled computer is connected to the Internet.

Users never have to think about connecting to the internal network, and IT administrators can

manage remote computers outside the office, even when the computers are not connected to

the VPN.

Integrated Remote Access

Now with Windows Server 2012, DirectAccess and VPN can be configured together in the

Remote Access Management console by using a single wizard. Other Routing and Remote

Access Services (RRAS) features can be configured using the legacy RRAS management

console. The new role allows easier migration of Windows 7 RRAS and DirectAccess

deployments and provides several new features and improvements.

[Next slide]

Page 35

8/29/2012

Windows Server 2012 enhances and simplifies DirectAccess through improved manageability,

ease of deployment, improved performance and scalability, and support for new scenarios.

Page 36

8/29/2012

Windows Server 2012 provides a highly cloud-optimized operating system. VPN site-to-site functionality in remote access provides cross-premises connectivity between enterprises and hosting service providers. Cross-premises connectivity enables enterprises to connect to private subnets in a hosted cloud network. It also enables connectivity between geographically separate enterprise locations. With cross-premises connectivity, enterprises can use their existing networking equipment to connect to hosting providers by using the industry-standard IKEv2-IPsec (Internet Key Exchange version 2/Internet Protocol security) protocol.

In the example on this slide, the following occurs:

1. Contoso.com and Woodgrove.com offload some of their enterprise infrastructure in a hosted cloud.

2. The hosting provider provides private clouds for each organization.

3. In the hosted cloud, virtual machines running Windows Server 2012 are configured as remote access servers running site-to-site VPN.

4. In each hosted private cloud, a cluster of two or more remote access servers is deployed to provide high availability and failover.

5. Contoso.com has two branch office locations. In each location, a Windows Server 2012 remote access server is deployed to provide a cross-premises connectivity solution to the hosted cloud and between the branch offices.

6. The Contoso.com branch office computers running the unified Remote Access Server role in Windows Server 2012 are also configured as DirectAccess servers in a multisite deployment. DirectAccess clients can more securely access any resource in the Contoso.com public cloud or Contoso.com branch offices from any location on the Internet.

7. Woodgrove.com can use existing routers to connect to the hosted cloud because cross-premises functionality in Windows Server 2012 complies with IKEv2 and IPsec standards.

Page 37

8/29/2012

By using the new Remote Access Management console, you can configure, manage, and

monitor multiple DirectAccess and VPN remote access servers in a single location. The

console provides a dashboard that allows you to view information about server and client

activity. You can also generate reports for additional, more detailed information. Operations

status provides comprehensive monitoring information about specific server components.

Event logs and tracing help diagnose specific issues. By using client monitoring, you can see

detailed views of connected users and computers, and you can even monitor which resources

the clients are accessing. Accounting data can be logged to a local database or a Remote

Authentication Dial-In User Service (RADIUS) server.

In addition to the Remote Access Management console, you can use Windows PowerShell

command-line interface tools and automated scripts for remote access setup, configuration,

management, monitoring, and troubleshooting.

On client computers, users can access the Network Connectivity Assistant application,

integrated with Windows Network Connection Manager, to see a concise view of the

DirectAccess connection status and links to corporate help resources, diagnostics tools, and

troubleshooting information. Users can also enter one-time password (OTP) credentials if OTP

authentication for DirectAccess is configured.

Page 38

8/29/2012

The enhanced installation and configuration design in Windows Server 2012 allows you to set

up a working deployment quickly and easily without changes to your internal networking

infrastructure. In simple deployments, you can configure DirectAccess without being required

to set up a certificate infrastructure. DirectAccess clients can now authenticate themselves by

using only Active Directory credentials; no computer certificate is required. In addition, you can

select to use a self-signed certificate created automatically by DirectAccess for IP-HTTPS and

for authentication of the network location server.

To further simplify deployment, DirectAccess in Windows Server 2012 supports access to

internal servers that are running IPv4 only. An IPv6 infrastructure is not required for

DirectAccess deployment.

Page 39

8/29/2012

Remote access offers several scalability improvements, including support for more users with

better performance and lower costs:

• You can cluster multiple remote access servers for load balancing, high availability, and

failover. Cluster traffic can be load balanced by using Windows Network Load Balancing

(NLB) or a third-party load balancer. Servers can be added to or removed from the cluster

without interrupting connections in progress.

• The remote access server role takes advantage of Single Root I/O Virtualization (SR-IOV)

for improved I/O performance when running on a virtual machine. In addition, remote

access improves the overall scalability of the server host with support for IPsec hardware

offload capabilities, which are available on many server interface cards that perform packet

encryption and decryption in hardware.

• Optimization improvements in IP-HTTPS use the encryption that IPsec provides. This

optimization, combined with the removal of the Secure Sockets Layer (SSL) encryption

requirement, increases scalability and performance.

Page 40

8/29/2012

Remote access in Windows Server 2012 includes additional enhancements, including

integrated deployment for several scenarios that required manual configuration in Windows

Server 2008 R2.

These include force tunneling (which sends all traffic through the DirectAccess connection),

Network Access Protection (NAP) compliance, support for locating the nearest remote access

server from DirectAccess clients in different geographical locations, and deploying

DirectAccess for only remote management.

With Windows Server 2012, you can now configure a DirectAccess server with two network

adapters at the network edge or behind an edge device, or with a single network adapter

running behind a firewall or NAT device. Being able to use a single adapter removes the

requirement to have dedicated public IPv4 addresses for DirectAccess deployment. With this

configuration, clients connect to the DirectAccess server by using IP-HTTPS.

Remote access servers can be configured in a multisite deployment that allows users in

dispersed geographical locations to connect to a multisite entry point closest to them. Traffic

across the multisite deployment can be distributed and balanced with an external global load

balancer. To support fault tolerance, redundancy, and scalability, DirectAccess servers can

now be deployed in a cluster configuration by using Windows load balancer or an external

hardware load balancer.

DirectAccess in Windows Server 2012 adds support for two-factor authentication using an

OTP.

Page 41

8/29/2012

For two-factor smart card authentication, Windows Server 2012 supports using Trusted

Platform Module (TPM)-based virtual smart card capabilities available in Windows 8. The TPM

of client computers can act as a virtual smart card for two-factor authentication, which removes

the overhead and costs incurred in smart card deployment.

Windows Server 2012 introduces the capability for computers to join an Active Directory

domain and receive domain settings remotely via the Internet. This capability allows easy

deployment of new computers in remote offices and provisioning client settings to

DirectAccess clients.

41







Page 42

8/29/2012

Page 43

8/29/2012

To sum up:

In IaaS deployments, security, identity, and asset control are all areas requiring critical

attention from IT administrators—particularly when moving to virtualized and private or public

cloud environments.

Windows Server 2012 makes those tasks easier by providing simple but comprehensive new

and enhanced features, including:

• Dynamic Access Control, for flexible, intelligent, auditable security,

• Active Directory Domain Services enhancements, for easier deployment and management in

virtual environments,

• And improvements to DirectAccess to support more flexible deployments, higher

performance, and client experience

Thank you!

Page 44

8/29/2012

Page 45

8/29/2012

8/29/2012

Page 46

Education

9 identity and access