Windows Server 2003 touts out-of-the-box security as one of its most important features. Since Windows operating systems have taken a highly-publicized beating at the hands of hackers and virus-writers in recent years, it has been a high priority for Microsoft to improve the security of Windows and other Microsoft software. The entire company has refocused in an attempt to create more secure products.

While there is no such thing as a 100 percent secure system, Windows Server 2003 has made significant strides in terms of the security of its default configuration (which is very important since many operating systems are simply installed in their default configuration).

In order to measure the security improvements of Windows Server 2003, Microsoft commissioned a study that was conducted by Ernst & Young LLP to helps quantify the relative “attackability” of various Windows operating systems, and most importantly Windows Server 2003. We’re going to take a look at the “Relative Attack Surface Quotient” (RASQ) that was used in this study and what it reveals about Windows Server 2003 security.

Relative Attack Surface Quotient (RASQ)
Microsoft has acknowledged that historically it has been difficult to measure a system’s security elements due to a variety of reasons, some of which Microsoft cites as lack of standards and lack of vendor support.

The “Relative Attack Surface Quotient,” or RASQ, is a mathematical method of assessing the attackability of an operating system. The RASQ attempts to mathematically assess systems through a well-defined process in which the system (in this case Windows Server 2003) can be compared to other systems to determine which is less attackable. Keep in mind that this assessment is aimed at the “surface” of the operating system, which can be defined as the points of attack or the potential weak spots (essentially, those portions of the operating system that are targetable by hackers). Good examples of a surface attack are attacks against services, or weakly secured file systems, open sockets, services running as “System,” etc.

The formula
At first glance, the mathematics behind this process can seem a bit confusing. In reality, it’s not as tough as you might think. By identifying the attackable portions of the operating system, assigning a likelihood of attack, and cumulatively adding them together you arrive at the RASQ of a system.

At a lower level, this is what happens: To determine a system’s RASQ you must identify the “Root Attack Vectors.” Root Attack Vectors are portions of the operating systems (i.e., features) that can positively or negatively affect the security of a system. Root Attack Vectors assist in determining the “Effective Attack Surface Value.”

To determine the Effective Attack Surface Value multiply the total number of attackable surfaces (things that can be targeted) within a given Root Attack Vector by the “Attack Bias.” An Attack Bias is a numerical value that helps determine the risk of compromise for a particular surface. Keep in mind that the Attack Bias is a completely subjective numbering system based on reasonable conclusions and likelihood of attack.

Finally, to determine the RASQ, simply add the Effective Attack Surface Values together. The result is the RASQ of a system. For those of you who are truly interested in mathematical details of RASQ, check out this PowerPoint presentation by Jeannette Wing.

The results
So, which operating system is less attackable? Well, the answer to that question is actually surprising…well not really, if you stop and think about it. Windows NT 4.0 without IIS came in as the least attackable operating system. However, the relevancy of this finding is clear. Windows NT 4.0 Server is no longer a viable new purchase when it comes to server-level operating systems. Of the servers that were configured with IIS, Windows Server 2003 came in with the lowest score (lowest being a good thing). This is exactly what Microsoft has been trying to market. With security being touted as a key reason to move to Windows Server 2003, these types of results are indicative that this new version of the OS is indeed more secure in its default configuration (compared to other operating systems).

Which OS scored the worst? Windows 2000, configured with its out-of-the-box default settings (including IIS) scored a whopping 341 points! But that is no surprise. The significant improvements in areas like Directory Services were overshadowed by gaping security holes and what appeared to be major lapses in business acumen. That said, Microsoft has come around, assigning security a much higher priority in Windows Server 2003.

It is very interesting (and quite logical) to note that the addition of IIS to a system drastically affected the scores—making them higher. Translation: IIS makes your system much more attackable. Remember this measurement is not designed to determine how secure a system is in a locked down state, but instead how attackable it is in its default configuration.

End sum
As with other equations designed to provide measurement of IT variables, the RASQ is somewhat subjective in nature. However, Microsoft, realizing the importance of security, needed a way to compare Windows Server 2003 to other operating systems. By measuring all systems by the same barometer (subjective or not) Microsoft provides evidence to suggest that Windows Server 2003 is less attackable than other operating systems, and therefore one could infer that it is more secure in its default configuration.

More on RASQ

For more on the usefulness of RASQ, read this article from MCP Magazine columnist Roberta Bragg.

My experiences with Windows Server 2003 tend to substantiate this argument. However, as usual, there is no such thing as a completely secure system, and a prudent company will take the appropriate steps to ensure any vulnerabilities are mitigated. What is also quite interesting is that the same model that was used to compare operating systems can also be used to benchmark applications and be factored into the development of new applications. Such a standard as this can be useful in measuring any product’s attackability.