By Mike Mullins
In the past, Microsoft has been known to bundle a lot of extra features with its operating systems, most of which are installed with Service Account privileges by default. Windows 2003 breaks that mold by disabling, or running at a lower privilege, more than 20 services that were enabled by default in Windows 2000 Server.
Two of the most important security reforms in WS2K3 deal directly with Internet Information Server (IIS) and Telnet Server. Neither IIS nor Telnet are installed by default, and both services run under two new accounts that operate at lower privileges than the normal System Account. This change immediately improves the security profile of the server if a malicious hacker compromises either service.
Along with its improvements to service accounts for Telnet and IIS, WS2K3 includes a host of new features that may be a deciding factor in upgrading your current server OS.
Internet Connection Firewall (ICF)
This software-based firewall provides basic port security to your networked server. It works with your current security devices, adding another layer of protection to your critical infrastructure.
Software restriction policies
These use both policy and execution enforcement mechanisms to restrict unauthorized executables from running on your corporate network. These restrictions are additional measures for preventing users from executing programs that aren't part of your company's standard user software suite.
Web server security
This is set to maximum when the default installation of IIS 6.0 is installed. New IIS 6.0 security features include selectable cryptographic services, advanced digest authentication, and configurable access control of processes.
New digest security package
This supports the digest authentication protocol as defined by RFC 2617. This package provides greater protection for IIS and Active Directory.
Security improvements for Ethernet and
Based on the IEEE 802.1x specifications, these improvements facilitate secure authentication and authorization of users and computers, regardless of connecting media. These improvements also support auto-enrollment of public certificates and smart cards, which enables access control to networks that traditionally reside in or traverse public places, such as university campus WANs and government WANs across large cities.
This provides a secure warehouse for all user credentials, including passwords and X.509 certificates. This feature enables the single sign-on feature across multiple domain trusts.
Secure Internet Authentication Server and
Remote Authentication Dial-in User Server (IAS/RADIUS)
This controls remote user authentication and authorization access controls. This service is functional for a variety of connection types, such as dial-up, virtual private networks (VPNs), and firewall connections.
Federal Information Processing Standard
(FIPS) compliant kernel-mode cryptographic algorithms
These algorithms can support SHA-1, DES, 3DES, and a random number generator. This government-grade crypto module is used to encrypt Layer Two Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec) connections via VPNs between client to server, server to server, or gateway to gateway.
Improved Secure Socket Layer (SSL) client
This improvement enables sessions to run 35 percent faster and be cached and shared by multiple processes. This reduces user authentications to applications, which reduces network traffic and CPU cycles on the application server.
Enhanced Encrypted File Service
This service allows administrators and users to give multiple users access to groups of encrypted files. It also provides additional file storage protection, along with maximum user capability.
Besides all of these new security features, this summer Microsoft also will release a Security Configuration Manager designed to integrate security options over the entire operating system into one management console.
Microsoft has spent a lot of time telling the public about its new security initiative. It has even included a number of security enhancements to this server release. However, after testing WS2K3 for a month, I didn't notice any added value from the new security features. The changes incorporated into the IIS and Telnet implementations are a good start, but WS2K3 is still a Microsoft product, which means that it has a long way to go before it wins my trust.
I've highlighted WS2K3's security features to help you decide whether Microsoft has lived up to its initiative and has finally delivered a secure product—or if it still lacks a strong security focus. My advice: If you're thinking about deploying WS2K3 in your enterprise, wait a while. Let the hackers play with the OS for a couple of months, and watch for security fixes before deploying the new system.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.