Windows Server 2008 R2 Documentation

| Posted on by

Windows Server 2008 and 2008 R2 documentation Migration assistance with the Azure Migration Center The Azure Migration Center has a full range of tools available to help you assess your current on-premises environment, migrate your workloads onto Azure, and optimize your Azure usage to best suit your needs. I am working with a Lenovo Thinkserver that came preloaded with Microsoft Windows Server 2008 R2 SP1. When I attempt to locate technical documentation online (.on the Microsoft website) the links often direct me to Windows Server 2012 documentation.

-->

Windows Server is the platform for building an infrastructure of connected applications, networks, and web services, from the workgroup to the data center.

Windows server

Use the links below to view technical content for IT professionals for the different versions of Windows Server.

Important

Do you have Windows running on your PC? Windows 10, Windows 8 or 8.1? Windows 7? Do you have a problem? Go to Microsoft Support - just type your problem into the search bar. They have information about Windows, Office, Skype, you name it.

The information below is only about Windows Server.

Windows Server 2016

Windows Server 2012 R2 and Windows Server 2012

Windows Server 2008 R2 and Windows Server 2008

Windows Server 2003

Windows Server 2003 Technical Library - download a PDF version of the archived content

Product evaluations

Related links

Tip

Are you having a problem? Start with Microsoft Support - just type your problem into the search bar. You can get help with Windows, Office, Skype, you name it.

I've seen several posts on the new 'authentication assurance' feature coming in Windows Server 2008 R2. The term we decided to go with is authentication mechanism assurance because it is actually the authentication mechanism that is assured. Authentication mechanism assurance uses certificate policies that are mapped to security groups. The certificates that are issued from the policy grant users who use them to logon additional group memberships in their access token. The expected scenario for using this feature is that a user with a smart card or token device (e.g. USB token) logs on using a certificate (issued from a policy mapped to an administrator defined security group). With this addition group membership added to the access token of the user account a distinction can be made (through that group membership) that indicates the user logged on using a specific type of certificate. This allows resources on the network (and elsewhere) to be secured as normal (using group memberships in the access control list), but has the ability to effectively distinguish that the user logged on with a smart card, USB token, or some other type of certificate logon method. Since the administrator can map different types of certificates (using different certificate policies) to different group memberships, it is also possible to distinguish the type of certificate.


Windows Server 2008 R2 Enterprise

As an example, consider this scenario: Three certificate policies



  1. Confidential

  2. Secret

  3. Top Secret

Windows Server 2008 R2 Documentation Guide


Now assume that these policies are mapped to three different security groups:



  1. Confidential Users (mapped to Confidential certificate policy)

  2. Secret Users (mapped to Secret certificate policy)

  3. Top Secret Users (mapped to Top Secret certificate policy)

Windows Server 2008 R2 Documentation System

Now consider there are three different types of smart cards (they could all be the same type of smart card). Imagine they are categorized differently as in they have different colors or stickers indicating the following):


Windows home server

  1. Confidential (receives a certificate issued from a certificate template that is associated with the Confidential certificate policy)

  2. Secret smart card (receives a certificate issued from a certificate template that is associated with the Secret certificate policy)

  3. Top Secret smart card (receives a certificate issued from a certificate template that is associated with the Top Secret certificate policy)

Windows Server 2008 R2 Documentation


Now resource administrators could secure resources in this way:



  1. Resources considered Confidential could grant access to the following groups: Confidential Users, Secret Users, and Top Secret Users.

  2. Resources considered Secret could grant access to only the following groups: Secret Users and Top Secret Users.

  3. Resources considered Top Secret could grant access to only the Top Secret Users group.

Windows Server 2008 R2 Documentation Download


Such a configuration would allow users who logon with Confidential smart cards to access the resources secured for Confidential Users. The users who logon with Secret smart cards can access the resources shared to the Secret Users group. The users who logon with Top Secret smart cards can access the resources shared to the Top Secret Users group. The users who logon using a username and password will not be able to access any of the resources described above.

Windows Server 2008 R2 Documentation Form


Therefore, the authentication mechanism assurance allows administrators to secure resources (including applications) such that only users who logged on with a certificate based mechanism are granted access. Further, whether the user is able to gain access to specific resources also depends on the type of certificate (indicated by the certificate template and policy) that the user presents during logon.


This posting is provided 'AS IS' with no warranties, and confers no rights.