Windows Server 2003: Is it secure by default?

Microsoft has invested $200 million in making Windows Server 2003 the most secure Windows platform to date. Here's a look at the security enhancements and one issue that could most affect security improvements.

Windows Server 2003 is the first major product that Microsoft says will benefit from the company's Trustworthy Computing effort, and the Microsoft PR folks say that about $200 million was spent just to improve security in this operating system. That means that it’s vital to the company’s reputation that WS2K3 at least be perceived as being more secure than Windows NT 4 or Windows 2000. We're going to take a closer look at the security features of Windows Server 2003 and their true potential for improving the overall security of the platform.

New security features
At first glance, WS2K3 has a number of new security tools built in as well as improvements to security features from Windows 2000. However, the biggest (and probably the best) change to the way WS2K3 addresses security threats is that Microsoft has finally recognized that many administrators typically do not install software (not just Microsoft programs) in a secure fashion, either because of lack of training or simply because the admins don’t have the time.

This new attitude has caused the WS2K3 developers to “reduce the default attack surface” of this operating system by disabling 19 services that were automatically installed in previous versions. Across the board, security settings in WS2K3 are much more restricted in terms of the default settings.

Some other notable changes include:

IIS is no longer installed automatically with the operating system. This is an important change because so many vulnerabilities have been found in IIS. However, the latest version of IIS is supposed to be considerably more secure.

For installations where IIS is already installed (where an upgrade is involved rather than a clean install) and/or where IIS is probably needed to maintain services, IIS 6.0 (included with WS2K3) is automatically configured in what Microsoft describes as a “locked down” state. In this default configuration it will “only accept requests for static files until configured to serve dynamic content, and all time-outs and settings are set to aggressive security defaults,” according to Microsoft. Administrators can also disable IIS using Windows Server 2003 group policies.

Encryption—in various forms
Microsoft has made several changes involving encryption:
  • Advanced Encryption Standard support has been added to EFS file encryption (first included in W2K) but there doesn’t appear to be a way to disable data recovery.
  • Since management complexity is a major reason why encryption either isn’t used or becomes compromised, the addition of multiuser support (which allows an entire workgroup to access encrypted files without sharing the same password) will make it much easier to apply encryption on a secure basis.
  • Passwords stored in the Security Account Manager will now be automatically encrypted (128-bit).
  • Wireless security is improved by applying existing security tools to wireless networks. Several changes, including the elimination of the need for client-side certificates, should make it easier for administrators with limited resources to secure WLAN access.
  • Virtual private network support has gotten some minor improvements.WS2K3 also improves security by adding 2048-bit Diffie-Hellman key exchange support to IPSec.

File (object) auditing now detects and records not only whether someone with write permission opened a file, but also whether the file was altered.

Selective auditing lets administrators specify more detailed auditing of specific individuals. This may be people identified as security risks for some reason or another, or it may be applied to everyone in a certain department who will have access to especially sensitive data.

Other features
Different administrators will rank other changes differently depending on their circumstances and network requirements. There have been so many security-related changes between Win2K and WS2K3 that it’s impossible to detail all of them here, but listed below are some additional features that will probably be of interest to many administrators:
  • A new feature intended to help secure WS2K3 networks is the Network Access Quarantine Control, which prevents connections with other systems that may not be properly secured. According to Microsoft, NAQC does this by delaying “normal remote access to a private network until the configuration of the remote access computer has been examined and validated by an administrator-provided script.”
  • A new Software Restriction Policy will help block untrusted software from executing on the server.
  • The Common Language Runtime (CLR) engine will improve reliability and security “by verifying that applications can run without error and checks security permissions to ensure that code only perform appropriate operations.” Microsoft says that CLR “will reduce number of bugs and security holes caused by common programming mistakes, leaving fewer vulnerabilities for attackers to exploit.”
  • Access control lists are configured with more secure defaults. The example given by Microsoft is the System Root ACL, which, by default, blocks users from writing to the root, preventing some spoofing attacks. WS2K3 also changes the default share ACL from Everyone:Full Control to Everyone:Read.

There are other areas where I don’t understand why the software defaults have been configured as they have. Here are three examples:
  • NT4 and Windows 2000 both had a number of categories for security logging, but auditing of successful or failed attempts to log in to the system was turned off by default. The only notable difference in WS2K3 is the fact that successful attempts are logged by default, but unsuccessful ones are not.
  • File auditing has been improved a bit but there is still no way to grant read-only access to security logs, which might make it easier to assign someone to help monitor the logs without the risk of compromising the data.
  • Passwords can still be simple and short. There is no improved auditing for any attacks involving bad passwords. On the positive side, at least blank passwords can only be used by local accounts and not to access the network remotely.

More information on WS2K3
For more information on Windows Server 2003, take a look at these articles: Plus, here are some resources from Microsoft: You can find policy changes and other details about the changes in default security settings in Appendix A of the Security Innovations document.

A better approach
If the $200 million extra spent just on securing WS2K3 results in fewer penetrations in the real world and fewer serious vulnerabilities discovered in the software down the road, then it will be money well spent and quickly recouped by the increased desire among administrators to install WS2K3 systems.

Microsoft claims three main benefits from the improved security that has been built into WS2K3:
  • Lowered costs through simplified security management
  • Implementation of open standards including IEEE 802.1x and public key standards
  • Improved protection for mobile users

I believe that the most important security enhancement in Windows Server 2003 is the fact that Microsoft has taken a better approach to the default installation and configuration settings. There are some other solid improvements as well, but the default settings issue has the best potential for making a real impact on the security of the platform.

Editor's Picks