ScOrp is TechRepublic's first opinion writer. His ideas and suggestions are his own and do not represent those of TechRepublic or CNET Networks.
Microsoft seems destined to set itself up for hits in the public relations arena. Sometimes they even seem determined to.
Now, it's true that any industry leader will be "The Sheriff"—that is, the one to challenge and beat in order to make a reputation for oneself. However, the typical (and appropriate!) response of a giant such as Microsoft to the trash talkin' is to cry all the way to the bank and present a stoic facade after securing the deposit. In this column, I'll rant a little about Microsoft's naming conventions and then take a look at W2K and W2K3 Server.
What's in a name?
Hooking the name of a major OS release to a specific date carries its liabilities, even if that specific date is an entire 12-month period known on this planet as a year. "Windows 2000" was touted all through 1999. Then January 2000 came and went with no release. Then February came and went—no, wait, halfway through it arrived, but months later than promised, and then with truly dismal application and driver support, such that it was not until a bit later that W2K was viewed as a viable upgrade to the old workhorse NT4. Of course, some would claim that W2K wasn't even close to "viable" until SP1 was published—some five or six months later.
Maybe they should have stuck with NT5, but then the acronym "New Technology" sounds a bit silly when you realize that this OS was first conceived and started in the late 80s—over a decade earlier.
(BTW, the splash screen for W2K reads in full, "Based on New Technology Technology," which is like saying, "PIN number" or "La Brea Tar Pits," an unnecessarily superfluous redundancy. But onward...)
Windows 95 and 98 had no such problems from the PR standpoint. Though also "late" by strict standards, W95 was such a welcome improvement over Win 3.1 that no one cared, and W98 was also a substantial enough improvement over W95. But the successor to the W9x (GUI-shell-over-DOS) series, also due in 2000, carried its own naming problems. The new NT-kernel OS's name was to carry the "2000" tag, which taxonomically speaking could be seen as a bit confusing. So the next in the W9x series switched naming systems to the "two-letter standard," becoming Windows Me—which could be because "W9x" in the year 2000 was also something of a misnomer.
A rose by any other name....
Seen in this light, it shouldn't have been a surprise when the anticipated "Whistler" OS threw it all out the window (so to speak) and became .NET. Something needed to happen, after all. Then somehow, possibly because of bad press about the .NET name (either it became a symbol for Microsoft's purported iron-fisted desire to usurp the Internet, or perhaps because "DotNOT" was just too attractive to pundits), the successor to W2K became Windows 2003.
Perhaps because of the molasses-like slowness of enterprises to upgrade to W2K over NT4 (by a show of hands, how many out there are still using mostly NT4? A-ha!), Microsoft is promoting W2K3 heavily. Oddly enough, it seems almost as if the majority of the marketing is to the folks still on NT4. This could be because many of the outfits fully on unmixed, AD-enabled W2K only just migrated to it and are not overly receptive to repeating the whole ugly process a mere year later.
Either way (and you folks who are still on LanTastic and Banyan Vines, listen up!), is W2K3 really worth a look at this stage of the game, with IT budgets slashed to the bone and beyond? Or is it just "Win2K Special Edition" (at long last, the title of this piece makes a shred of sense) and not worth the bother?
...would smell the same
The marketing and news blurbs about W2K3 have a certain peculiarity about them.
The "AD lite" service, Active Directory Application Mode (ADAM), isn't really a part of W2K3 Server at all, yet this useful-sounding directory service is touted in more than one place as a "benefit" of W2K3 Server (it runs on WinXP too!), even though it is presently downloadable from Microsoft independently of W2K3.
Balancing that, and about as related—in the other direction—is the noise a couple of months ago about "the first patch for W2003 Server!" Which was really a patch for IE5 and up to include IE6, which is the default browser on W2K3 Server, which is locked down on installation of the OS, by default. Think: WHY would you run an IE browser on a server? By any sane standard there is insufficient connection between this IE patch and the W2K3 OS to merit a mention of the two together, but then again "Hot Words" catch interest and sell papers.
Now then, ask any *nix type what the biggest joke about Windows OSs is, and four out of five times you'll likely get the answer "IIS!!" (followed by a gush on the merits of Apache over Linux; after all, 60 percent+ of the Web servers out there can't be THAT wrong). And it's a sad fact that IIS installations are cracked and defaced much more than Apache-based sites, by a huge margin. While the reasons for this are NOT as simple as the raw numbers, the fact remains in the relatively uninformed public mind, and so IIS has a bad reputation.
Included in the W2K3 package is the new version, IIS6. And a quick peek at it reveals that Microsoft is taking Internet Services security and reliability VERY seriously these days. Here’s a short rundown of features:
- Everything in IIS6 is about isolation and compartmentalization. Everything. If a process, application, or site fails, it can't affect the rest of the service (Web sites are treated as applications).
- Anonymous users use the severely limited, low-privilege Network Service account; even .ASP is accessed this way.
- The IIS metabase—the store of settings information equivalent to the registry in an OS—is an XML text-based file, not the usual impenetrable binary. Metabase backups and restores can be passworded separately from the rest of the machine, and previous versions may be restored quickly if corrupted. The metabase can be easily edited by hand in NotePad or by script, and the changes applied in memory while IIS is running, with no interruption of service.
- FTP users who need to upload files and such are completely shut into their own directory, with no access to higher levels possible. Their top-level folder appears as the FTP directory root.
- The infamous "buffer overflow attacks" are made far more difficult, partly because everything is monitored. If a worker process fails, another will take over the request. At the Admin's option, you can set a failed process to be killed, or left running for diagnostic purposes.
- If an application pool fails repeatedly in a short time, you can configure it to be automatically disabled. This can stop or slow a DoS attack.
- The HTTP service is now a kernel-mode driver. It responds to requests and caches pages, and is not involved in processing pages. Not only does this improve performance, but there is more isolation between application processes.
There's even more that's impressive about IIS6. Clearly, it was rewritten almost completely from the 5.x versions with security, reliability, and efficiency of management in mind. Field practice will show just how snazzy this new IIS version really is, but at any rate, a LOT of work went into it.
And, so, what does Microsoft advertise as the main security benefit of not only IIS6, but the whole W2K3 Server OS? The fact that it's all disabled by default after a clean install. Yup. That's the main selling point, the one you hear the most about. "Nothing works, right out of the box"—and they're all SO proud of that.
OK. In a real sense, that's only logical, nay, overdue. It sure beats the standard alternative of coming online with everything on and wide-open, where the first thing an Admin has to do upon an install is to race from dialog box to Properties sheet turning off NetBIOS over TCP/IP and other cold-sweat horrors inserted for some inane POSIX compliance or another, and hoping nothing gets forgotten in the mad shuffle. But really, it's a sort of a slap in the face when you think about it.
The appeal to the VP class goes like so: "Finally, your Sys Admins can't slip up and leave a target; we've taken care of all that. You know those people can barely tie their shoes without help...and now that they all won't be as busy, maybe you can even fire a couple of them and get by.”
It's the same appeal that advocates enabling Automatic Update—releasing untested patches into the production network as soon as they come out. It's pretty clear that the brunt of the marketing impact is for the suits, not for the techies. It's also pretty clear that Microsoft is banking upon the eternal disparity between authority and responsibility.
With all that out of the way, now you can see that if you're running NT4 or even W2K on your servers, maybe it's a good time to take a nice long look at W2K3 Server, with its beefed-up IIS6 and its new AD tools, and perhaps you too will make the decision to upgrade...