Windows Server 2008 and its successor Windows Server 2012 belong to the server line of Microsoft Windows’ operating systems (OS). While Server 2008 contains a myriad of new and updated features, Windows Server 2012 simply has more significant improvements over its predecessor. Designed for a “cloud environment”, 2012’s Hyper-V for instance is exponentially superior to its counterpart with regards to raw power; possessing “320 logical processors vs. 64, 4TB of memory vs. 1TB, 64 virtual processors per VM vs. 8, and 8,000 clustered VMs vs. 1,000” (Patrizio, 2015). However, the most important primary difference between 2008 and 2012 of note is the introduction of Dynamic Access Control.
According to Microsoft’s product description, Domain-based Dynamic Access Control enables the application of access-control permissions/restrictions which are based on well-defined rules that potentially include the “sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access the resources” (Microsoft, 2013). In theory, a given user may possess different permissions upon accessing a particular resource over a virtual private network (VPN) between their various systems or they may only be permitted access to their device of choice if the security requirements that are specifically defined by the network administrators are met. The utilization of Dynamic Access Control allows the dynamic change of user permissions without the requirement of an intervening administrator if the role or job of the end user changes. Dynamic Access Control is known to include “central access rules, central access policies, claims, expressions, and proposed permissions” (Microsoft, 2013).
A central access rule is defined as “an expression of authorization rules involving user groups, user claims, device claims, and resource properties” (Microsoft, 2013). A multitude of rules can then be combined into policies. These central access policies are authorizations including “conditional expressions” (Microsoft, 2013). The policies are represented across a given organization; applying to personally identifiable information (PII) files wherever located on the servers. Implementation of the policies requires the identification and marking of the files containing PII, group identification of human resource members that are allowed viewing of the PII information, and the addition of the policy to the central access rule whilst applying said rule to all PII files. These policies are meant to act as “security umbrellas that an organization applies across its servers in addition to already existing “local access policies or discretionary access control lists (DACLs)” (Microsoft, 2013).
In addition to the rules and policies of central access, a claim is “a unique piece of information about a user, device, or resource that has been published by a domain controller” (Microsoft, 2013). Examples proven to be valid in this case include “the user’s title, the department classification of a file, or the health state of a computer” (Microsoft, 2013). Any given entity has the possibility of involvement with more than one claim and combinations of such claims are able to authorize access to certain resources. Windows Server 2012 supports three particular types of claims including user-based claims, device-specific claims, and resource attributes defined as “global properties marked for use in authorization decisions (published in Active Directory)” (Microsoft, 2013). The inclusion of claims allow for the administrative possibility of precise organizational decisions or “enterprise-wide statements” (Microsoft, 2013).
Conditional expressions enhance access control management by allowing or denying access to resources upon requirements of particular conditions including location, membership, security state, etc. These expressions allow administrators to better maintain access to resources under various conditions in complex business settings. Finally, proposed permissions allow the increased accuracy of a model to the impact to changes to access control settings for the administrator “without actually changing them” (Microsoft, 2013). When an administrator is able to hypothesize the “effective access to a resource”, they are assisted in the planning and configuring of permissions for resources before implementing the actual changes themselves (Microsoft, 2013).
- Patrizio, A. (21 May 2015). WS2012 vs. WS2008 vs. Azure: Microsoft options compared. Retrieved April 1, 2016 from http://www.itworld.com/article/2925349/data-center/ws2012-vs-ws2008-vs-azure-microsoft-options-compared.html
- Microsoft, Inc. (31 July 2013). Dynamic Access Control Overview. Retrieved April 1, 2016 from https://technet.microsoft.com/en-us/library/dn265973.aspx#BKMK_WinRT
- Microsoft, Inc. (2013). The evolution of Windows Server. Retrieved April 1, 2016 from https://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/comparison.aspx