BitLocker enhancements
BitLocker Drive Encryption is a data
protection feature first introduced in Windows Vista and Windows Server
2008. BitLocker encrypts entire disk volumes to help safeguard
sensitive business data from theft, loss, or inappropriate
decommissioning of computers.
BitLocker has been enhanced in several ways in Windows Server 2012 and Windows 8:
-
It’s now easy to provision BitLocker
before deploying the operating system onto systems. This can be done
either from the Windows Preinstallation Environment (WinPE) or by using
Microsoft Deployment Toolkit (MDT) 2012 to deploy your Windows
installation.
-
The process of encrypting a volume with BitLocker can occur more
rapidly in Windows Server 2012 and Windows 8 by choosing to encrypt
only the used disk space instead of both used and unused disk space, as
was the only option in previous versions of Windows .
-
Standard users can change their BitLocker personal identification
number (PIN) or password for the operating system volume or the
BitLocker password for fixed data
volumes. This change makes it easier to manage BitLocker-enabled
clients because it means that users can choose PINs and passwords that
are easier for them to remember.
-
A new feature called BitLocker Network Unlock allows a network-based
key protector to be used for automatically unlocking
BitLocker-protected operating system volumes on domain-joined computers
when these computers are restarted. This can be useful when you need to
perform maintenance on computers and the tasks that you need to perform
require a restart to be applied.
-
BitLocker supports a new kind of enhanced storage device called Encrypted Hard Drive, which offers the ability to encrypt each block on the physical drive and not just volumes on the drive.
-
BitLocker can now be used for failover clusters and cluster shared volumes.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions that adds security to the DNS protocol. DNSSEC enables all the records in a DNS zone to be cryptographically signed and provides origin authority, data
integrity, and authenticated denial of existence. DNSSEC is important
because it allows DNS servers and resolvers to trust DNS responses by
using digital signatures for validation to ensure that the responses they return have not been modified or tampered with in any way.
DNSSEC functionality was first included in the DNS Server role of
Windows Server 2008 R2 and has been significantly enhanced in Windows
Server 2012. The following are a few of the enhancements included in
DNSSEC on Windows Server 2012:
-
Support for Active Directory–integrated DNS scenarios, including DNS dynamic updates in DNSSEC signed zones
-
Support for updated DNSSEC standards, including NSEC3 and RSA/SHA-2
and validation of records signed with updated DNSSEC standards (NSEC3,
RSA/SHA-2)
-
Automated trust anchor distribution through Active Directory with
easy extraction of the root trust anchor and automated trust anchor
rollover support per RFC 5011
-
An updated user interface with deployment and management wizards
-
PowerShell support for configuring and managing DNSSEC
Configuring DNSSEC on your DNS servers can now be done with the DNS
Manager console. Simply right-click a zone and select Sign The Zone
under the DNSSEC menu option:
This opens the Zone Signing
Wizard, and by following the prompts, you can select the Key Master for
the zone, configure a Key Signing Key (KSK) used for signing other
keys, configure a Zone Signing Key (ZSK) used for signing the zone
data, configure Next Secure (NSEC) resource records to provide
authenticated denial of existence, configure distribution of Trust
Anchors (TAs) and rollover keys, and configure values for DNSSEC signing and polling:
