This article was originally published in the Security Solutions e-Newsletter.
In the past, Microsoft has been known to bundle a lot of extra features with its operating systems, most of which are installed with Service Account privileges by default. Windows Server 2003 breaks that mold by disabling, or running at a lower privilege, more than 20 services that were enabled by default in Windows 2000 Server.
Two of the most important security reforms in WS2K3 deal directly with IIS and Telnet Server. Neither IIS nor Telnet is installed by default, and both services run under two new accounts that operate at lower privileges than the normal System Account. This change immediately improves the security profile of the server if a malicious hacker compromises either service.
Along with its improvements to Service Accounts for IIS and Telnet, WS2K3 includes a host of new security features that may be deciding factors when you think about upgrading servers to Windows Server 2003.
Internet Connection Firewall (ICF)
ICF is a software-based firewall that provides basic port security to your networked server. It works with your current security devices, adding another layer of protection to your critical infrastructure.
Software restriction policies
Software restriction policies use both policy and execution enforcement mechanisms to restrict unauthorized executables from running on your systems. These restrictions are additional measures to prevent users from executing programs that aren't part of your company's standard user software suite.
Web server security
Web server security is set to maximum when the default installation of IIS 6.0 is loaded. New IIS 6.0 security features include selectable cryptographic services, advanced digest authentication, and configurable access control of processes.
New digest security package
A new digest security package supports the digest authentication protocol as defined by RFC 2617. This package provides greater protection for IIS and Active Directory.
Security improvements for Ethernet and wireless LANs
Based on the IEEE 802.1X specifications, improvements to Ethernet and wireless LANs facilitate secure authentication and authorization of users and computers, regardless of connecting media. These improvements also support auto-enrollment of public certificates and smart cards, which enable access control to networks that traditionally reside in or traverse public places, such as university campus WANs and government WANs across large cities.
Credential Manager provides a secure warehouse for all user credentials, including passwords and X.509 certificates. This feature enables the single sign-on feature across multiple domain trusts.
The Internet Authentication Server and Remote Authentication Dial-in User Server (IAS/RADIUS) controls remote user authentication and authorization access controls. This service is functional for a variety of connection types, such as dial-up, virtual private networks (VPNs), and firewall connections.
FIPS-compliant kernel-mode cryptographic algorithms
The Federal Information Processing Standard (FIPS) algorithms can support SHA-1, DES, 3DES, and a random number generator. This government-grade crypto module is used to encrypt Layer Two Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec) connections via VPNs from client to server, server to server, or gateway to gateway.
Improved SSL client authentication
Improvements in Secure Socket Layer (SSL) client authentication enable sessions to run 35 percent faster and to be cached and shared by multiple processes. This reduces user authentications to applications, which reduces network traffic and CPU cycles on the application server(s).
Encrypted File Service (EFS) improvements allow administrators and users to give multiple users access to groups of encrypted files. It also provides additional file storage protection, along with maximum user capability.
In addition to all of these new security features, Microsoft has released a Security Configuration Manager designed to integrate security options over the entire operating system into one management console.
Microsoft has spent a lot of time telling the public about its new security initiatives. It has even included a number of security enhancements to this server release. However, after testing WS2K3 for a month, I didn't notice any added value of significance from the new security features. The changes incorporated into the IIS and Telnet implementations are a good start, but WS2K3 is still a Microsoft product, which means that it has a long way to go before it wins my trust.
I've highlighted WS2K3's security features to help you decide whether Microsoft has lived up to its initiative and has finally delivered a secure product—or whether it still lacks a strong security focus. My advice: If you're thinking about deploying WS2K3 in your enterprise, wait a while. Let the hackers play with it for a couple of months and watch for security fixes before deploying the new OS on a production network.