Suite B Cryptography Support
Suite B comprises a group of cryptographic algorithm standards that's approved by the National Security Agency and National Institute of Standards and Technology for use in general-purpose encryption software. Microsoft added Support for Suite B cryptographic algorithms (AES, ECDSA, ECDH, SHA2) to Windows Vista (and later). Windows 7 allows Suite B ciphers to be used with Transport Layer Security (TLS), referred to as TLS v.1.2, and Encrypting File System (EFS).
Recommendation: Suite B ciphers should be used whenever possible; however, it's very important to note that Suite B ciphers are not usually compatible with Windows OS's prior to Windows Vista.
DirectAccess allows remote users to securely access enterprise resources (such as shares, Web sites, applications, and so on) without connecting to traditional types of VPNs. DirectAccess establishes bi-directional connectivity with a user's enterprise network every time a user's DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. The advantage here is that users never have to think about connecting to the enterprise network, and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.
Once DirectAccess is enabled, when a user's computer connects to the Internet, it's as though he or she is on the organisation's local network. Group policies work, remote management tools work, and automatic push patching works.
Unfortunately, DirectAccess has fairly involved requirements, including Windows Server 2008 R2 (to act as the RAS server); Windows 7 (and later) Enterprise or Ultimate clients; PKI; IPv6; and IPSec.
Recommendation: Companies should look into using DirectAccess as their default VPN technology for Windows 7 and later clients.
Managed Service Accounts
Service accounts are often highly privileged, but difficult to manage. Best-practice recommendations dictate changing service account passwords frequently, so as to avoid the risk of password attacks. However, Windows service accounts often require two or more coordinated, synchronised password changes in order for the service to continue running without interruption; prior to Windows 7 and Windows Server 2008 R2, service accounts were not easy to manage. If a service account is enabled as a Managed Service Account, Windows will take over the password management and simplify Kerberos SPN (Service Principal Names) management.
Recommendation: Like Direct Access, Managed Service Accounts have a lot of requirements, including a schema update and mandatory PowerShell 2 use. Still, if service accounts are a hassle in your environmentand you know they areconsider enabling this new feature when your infrastructure is prepared.
Virtual Service Accounts
VSAs are related to Managed Service Accounts in that Windows takes over the password management. However, VSAs are for local service accounts and don't require a schema update or nearly the amount of effort to configure and use.
Sign up for MIS Asia eNewsletters.