Windows Server 2008 R2 includes several new
networking features to provide a better end-user experience and increase
the security of your network. Two of the biggest network changes
include the new services DirectAccess and BranchCache. We will introduce
you to both of these services and additionally, network enhancements in
this section.
DirectAccess
DirectAccess is a new
feature introduced in Windows Server 2008 R2 and Windows 7. DirectAccess
provides end users with constant, secure connectivity to the corporate
network anytime an Internet connection is available and without the need
for traditional VPN client software installed. This connection not only
gives end users easy access to the company network but also provides
systems such as configuration management and software distribution
servers access to the PC. This is a Win-Win feature for end users and IT
departments alike. DirectAccess is accomplished by creating a secure
tunnel between the Windows 7 workstation and the Windows Server 2008 R2
network.
BranchCache
BranchCache
is a new feature in Windows Server 2008 R2 that allows branch offices
to cache files from file servers and intranet Web sites locally to a
branch office. With BranchCache enabled, the first time a file is
accessed, it is copied across the Wide Area Network (WAN) and opened on
the local computer. A cached copy is then saved on a server designated
as the local cache or another client computer. The next time a computer
tries to access the remote file, it is accessed via the branch office
cache location instead of pulling the file across the WAN a second time.
Figure 1
depicts a graphical overview of how hosted BranchCache works.
BranchCache requires Windows Server 2008 R2 servers and Windows 7
clients.
VPN Reconnect
VPN
Reconnect is a feature that allows Windows 7 clients to automatically
reconnect a dropped VPN connection due to intermittent loss of Internet
connectivity. For example, you may be connected to an airport wireless
network with multiple wireless access points. Typically moving from one
access point to another could intermittently drop your Internet
connection. This would result in you having to reconnect your VPN
client, including reentering your username and password. A Windows 7
client using VPN Reconnect would automatically reestablish the VPN
connection without you having to reenter your username and password. VPN
Reconnect requires a Windows 7 clients and VPN connectivity via Windows
Server 2008 R2 Routing and Remote Access Services.
DNS cache locking
Windows Server 2008 R2
introduces several new features to enhance the security of DNS. Included
in these features is DNS cache locking. This feature allows an
administrator to configure how often cached DNS entries are updated.
When a Windows DNS server performs a recursive query, it caches a copy
of the result locally. This allows future queries to be updated via
cache instead of requiring the DNS server to perform the same query
again. One of the risks of using this technology is the possibility of
cache poisoning. This is where malicious DNS entries are brought into a
DNS server’s cache, which could redirect clients to malicious Web sites.
DNS cache locking can help combat this risk by allowing the
administrator to set a percentage of the time to live of the record, as
the amount of time required before the cached copy can be updated. For
example, the DNS administrator could set the cache locking to 80% of the
time to live. This would mean that cached DNS records could not be
updated until 80% of the time of live had passed. This is a global
change per DNS server, meaning it cannot be set per zone or record. You
can update the DNS cache locking percentage using the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Paramenters. A
restart of the DNS service is required for any changes to take effect.
DNS Security Extensions
DNS Security Extensions (DNSSEC)
is a new standards-based technology to help increase DNS security by
using public key/private key technology to sign DNS records. A DNS
server performing a recursive query of signed DNS zones will also
receive a public key from the authoritative DNSSEC-enabled DNS server.
The DNS server performing the query can
use the public key to verify the validity of the results being
returned. DNSSEC is supported by Windows Server 2008 R2 servers and
Windows 7 clients.
Firewall profiles per network connection
Windows Server 2008 R1
and Windows Vista introduced the concept of Network Location. The
Windows firewall could have different settings for different network
types. For example, while connected to the domain network, the server
could have more ports opened and less strict firewall rules than when
connected to a public network such as the Internet. Servers with
multiple network adapters connected to multiple networks could only use
one profile, so the least restrictive profile would have to be used.
Windows Server 2008 R2 resolves this issue by allowing administrators to
configure individual firewall profiles for each network connection.
This prevents you from having to lower firewall security for public
networks while allowing all necessary connectivity for trusted networks.
