Raising the Bar on Windows Security
Even with improved security in Windows Server 2003, administrators need to stay vigilant to create secure networks.
by Nelson Ruest and Danielle Ruest
August 2003 Issue
For This Solution: Microsoft Windows Server 2003, Microsoft Windows XP, Microsoft Windows Embedded
At press time, Windows Server 2003 has been available to the public for almost two and half months and has yet to experience a critical security breach. Despite the (most likely) feverish efforts of hackers worldwide, its code still stands unbreached. Hopefully, this will be the case for many months to come. However, history would seem to indicate that a breach is inevitable. The Windows platform has long been the target of many well-orchestrated attacks, and some simply accidental trespasses.
To combat this, Microsoft made a significant shift in the way it prepares and builds its server software—a turnaround announced by Bill Gates in February 2002. He wrote in a memo to his employees the previous month, "In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security." As you prepare to migrate to Windows Server 2003, or if you're still determining whether it's worth the effort, you should evaluate its security improvements and be aware of where you need to remain vigilant in protecting your systems from possible security breaches.
Gates' new security directive was translated into the Trustworthy Computing initiative, which was later summed up by the motto: Secure by Design, Secure by Default, and Secure in Deployment. Windows Server 2003 is the first operating system manufactured under the aegis of this new directive. For the first time in its history, Microsoft has actually dropped features in favor of more secure code. Windows Server 2003 includes an array of default behavior changes, designed to ensure it's secure out of the box. For example, Internet Information Services (IIS) is no longer installed by default; NTFS permissions don't allow user writes on the server and the same applies to new file shares; and Active Directory (AD) no longer supports older versions of Windows such as 95, 98, or even NT without Service Pack 3 or later, because these versions can work only with NT LAN Manager (NTLM) authentication. The latest version of the .NET Framework is also now a part of Windows Server and includes new security features (see the sidebar, "Use the .NET Framework to Enhance Security"). In short, Microsoft now produces tighter code.
This approach isn't new in the industry. Novell, once Microsoft's major competitor in the file and print networking field, has always opted for security by default. Even in its first implementations, NetWare was secure out of the box. Administrators, or supervisors as they were called, needed to allow access specifically to services as they implemented their networks. This has never been the Microsoft approach, until now.
Back to top
|