How Secure Is Windows Server 2003?

By all indications, Windows Server 2003 is engineered to be more secure than its predecessors. Microsoft has adopted a two-pronged approach to achieving this goal: The company has added several new features intended to boost security, and it has altered the operating system’s out-of-the-box settings so that many other features are turned off by default. Will this dual approach help squelch the security problems that have plagued Windows for decades, or does Microsoft still have miles to go?

Overall, analysts seem to agree that new security features in Windows Server 2003 will be less significant to system administrators than changes to the default settings of the OS. Either way, of course, CIOs will still shoulder the burden of making sure everything runs securely day in and day out.

No Thanks to IIS

A couple of brief documents provide an introduction to what is supposedly new in 2003. “What’s New in Security” and “Security Innovations in Windows Server 2003” are the best general overviews.

Among the new features that have been designed into the OS are greater support for the Kerberos security standard, which grants permission to use specific computer resources on a timed basis, and changes to the implementation of public key infrastructure (PKI), such as the ability to store and retrieve private keys in a more logical fashion.

In addition, a switch can be thrown to let users sign on only once with their password across their own and other networks. So-called “single sign-on” is made possible by something called Forrest Trusts, which links the Active Directory program running on one computer to that on another company’s computers.

Despite this and other new technology, there are sins of omission. For example, although Microsoft has focused heavily on its home-brewed Passport techology for transmitting users’ personal data, it has failed to actively support Security Assertions Markup Languages, or SAML, an XML standard designed to perform the same function. That makes collaborating with non-Passport systems tricky. “Microsoft says you can pass SAML information between machines, but that’s not the same as Windows actually being able to use SAML,” Gartner analyst John Pescatore told the E-Commerce Times.

Disable This

Of course, no matter how well designed, an operating system’s security over time depends on how it is managed on a daily basis. Fortunately, Microsoft has made some significant changes on this front too.

For example, Forrester senior analyst Laura Koetzle pointed out that the IIS Web server program is turned off by default in the new version of Windows, so that machines not offering Web connections need not be secured against Web-based attacks. In total, according to Microsoft, 35 different features have been disabled by default.

Gartner’s Pescatore noted that disabling features was a big lesson of another Windows release, Windows 2000. “We found that 65 percent of threats took advantage of the default features,” he said.

Secure by Default?

Security by default is something of a misnomer, however. System administrators are still responsible for modifying settings to create a configuration that suits the specific tasks their company needs to accomplish. Doing so will require studying a 290-page PDF document called “Windows 2003 Security Guide,” complemented by an equally long manual called “Threats and Countermeasures.” The latter is a best-practices guide for keeping Windows 2003 running securely — and it is filled with warnings of perilous tradeoffs for those fiddling with knobs on the program.

For example, the login facility can be set to give a user anywhere from zero to 999 attempts to guess his or her password. Setting the value too high gives password-cracking programs many chances to determine a given password — but locking out an account after only a few tries makes it easy for malicious code to paralyze a company’s workstations by failing the password test a few times.

To system administrators walking this fine line between Scylla and Charybdis, Microsoft counsels instinct. “Any organization should weigh the choice between the two [approaches] based on their identified threats and the risks that they are trying to mitigate,” the guide says.

The Perils of Choice

In essence, the system’s great flexibility may itself be a problem. “The documentation lays out best practices, but the reality is these things can be so complex it’s almost like a system that can’t be managed,” Yankee Group senior analyst Dana Gardner told the E-Commerce Times. “And that’s where vulnerabilities crop up.”

Although Gardner lauded the steps Microsoft has taken to shut off features and programs by default, he cautioned that achieving security in practice goes beyond disabling feature sets. “Companies recognize that this is sort of like a marriage. It’s not one partner or the other who’ll make it work; it’s both Microsoft and the IT staff.”

Famous Last Words

Analysts believe it will take at least 12 to 18 months to find out if Microsoft’s focus on security has borne fruit. Complicating matters, the software giant will roll out other programs this year, each of which could bring more vulnerabilities to the table. There will be new versions of SQL Server and Exchange, as well as the group of technologies code-named Palladium and referred to by Microsoft as the Next Generation Secure Computing Base.

However, in the end, the most important element in determining Windows’ security — or lack thereof — may be the code that underlies and powers Server 2003. Although features can be turned on or off, only Microsoft can change the source. It will take many months to discern whether or not this new offering is really more secure than its predecessors, but for now, analysts are taking Microsoft’s claims with a grain of salt.

As Pescatore noted, “When XP came out, Bill Gates said, ‘This is our most secure Windows ever.’ Two weeks later, we discovered the Plug-and-Play bug. So you’ve got to wonder.”