By Terry Sweeney

With Daniel Blum, research director for the Burton Group, a consultancy in Midvale, Utah. His recent report on Windows Server 2003 lauded Microsoft for security advances like centralized policy management and distributed authentication. But he found some serious negatives associated with the OS as well.

This interview originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit

Question: Your recent report on Windows Server 2003 emphasizes the strengths of the Microsoft product, yet you encourage enterprises to use Linux or UNIX platforms for their critical applications. Is Windows Server 2003 really that vulnerable?

Blum: One reason enterprises should consider risk diversification using multiple platforms is that Windows has suffered large-scale effects from attacks such as Code Red, Nimda, Blaster, etc. This is due to Windows’ population density, and the tendency of attackers to target Microsoft, as well as Microsoft’s implementation mistakes.

Question: What changes or additions does Windows Server 2003 need to be considered more bulletproof: more testing and patching, more perimeter safeguards around WS03-equipped servers, or others?

Blum: All of the above. Plus customers should consider separating sensitive applications into separate forests, or really, seriously, hardening the enterprise forest. Perhaps going so far as using the “high security” settings in Microsoft’s Security Guide, even though these will reduce functionality and increase costs. Customers should also not deploy ActiveX for sensitive applications, but migrate sensitive applications to use .NET managed code. Long term, Microsoft should look at simplifying the operating system packaging. It is not enough to toggle off settings by default because the settings could be turned back on by a program or an administrator against company policy. When customers deploy a domain controller (the keys to the kingdom) in a domain containing sensitive applications, they should have the option of deploying just a domain controller. This should involve more than just toggling off some settings; it should ensure the domain controller can never be turned into a browser, Web server, or anything else.

Likewise, customers should be able to deploy a high-security Windows application server that can never toggle ActiveX back on, but just runs managed code. Patch management is very troublesome and expensive for customers. Microsoft or third parties need to develop wrappers that can be deployed flexibly over Windows machines that have a known vulnerability, so that customers have more time to test patches before they install them, provided no critical functions are disabled by the wrapper. This is a problem with Windows architecture today; for example, shutting down the RPC port while awaiting a fix to Blaster disabled Outlook and many other applications. Movement to service-oriented architecture (SOA) with more loosely coupled interfaces should allow wrappers to be more finely grained, deployable without disabling as many functions. Microsoft needs to make sure that it keeps its SOA implementation in Longhorn loosely coupled enough to deliver this flexibility in the future.

Question: How soon do you think WS03 will be enterprise-ready for mission-critical applications?

Blum: There isn’t a binary answer to that question. WS03 will never be completely ready or completely unready. It is just a matter of how much protection costs customers are willing to pay to reduce risk to an acceptable level. Today there is a great deal of protection effort required, arguably too much when you consider how much patch management, other security configuration, firewalls, IDS, audit, and log analysis costs customers. But no matter how good the operating system gets, there will always be some protection effort required for mission-critical applications given the risks involved. Unfortunately, the basic architecture of WS03 and earlier releases cannot be changed, so it will only get incrementally better.