Microsoft Gets Specific on Windows 2003 Security
- By Scott Bekker
- January 29, 2003
While Microsoft has been promoting the security focus of Windows Server 2003 since delaying the operating system release in 2002 for a code review, Microsoft uncovered some specific security features in the OS for the first time last week.
Newly disclosed security settings and features include details of some of the services that are disabled or running with reduced privilege by default, a Security Configuration Wizard tool that will be available this summer and new documentation for administrators configuring systems and networks for security.
Redmond's promise to lock down Windows Server 2003 out of the box has been one of the promised upgrades of the operating system that has resonated most with users.
The sum of those default lockdown efforts is that more than 20 services that had been enabled by default in Windows 2000 Server will be disabled or run at a lower privilege in Windows Server 2003.
"The biggest example of a service locked down by default is IIS," says Michael Stephenson, lead product manager on Microsoft's Windows server team. "Another example, Telnet runs at a lower privilege and is not installed by default."
Those two high-profile services also use two new accounts that run at a lower privilege than the System Account, thus reducing exposure if they are compromised by an attacker. IIS 6.0 worker processes use a new Network Service Account. Telnet uses a new Local Service Account.
Another default installation change comes with Internet Explorer. While it will install on the server, out-of-the-box functionality will be limited.
Some users might be surprised to learn that a secure installation wizard will be an add-on, delivered a few months after the April 24 general availability of Windows Server 2003.
The gold code of Windows Server 2003 will have a Configure Your Server wizard and will have services locked down by default. "The Secure Configuration Wizard will run on top of [Configure Your Server] to make sure that [for example] that file server is now locked down for the highest level of security," Stephenson says.
Microsoft has settled on a few of the roles that will be included in the Security Configuration Wizard, including Web servers, file servers and directory servers. "What we're really trying to determine now is what some of the multi-purpose server roles will be," Stephenson says.
Microsoft has expended much effort recently in producing security guides to help users secure Windows environments. Recent guides include the Security Operations Guides for Windows 2000 Server and Exchange 2000 Server. The company will continue that effort with three new guides it will make available at the Windows Server 2003 launch. "Securing Windows Server 2003" will provide basic lockdown procedures and ongoing management recommendations. Another guide will direct customers on deploying secure identity management solutions using Windows Server 2003. The third document will provide guidance on deploying PKI solutions for secure VPN and wireless access.
Other features unveiled or reiterated by Microsoft last week:Remote users won't be able to log on with accounts that have blank passwords.
Role-based authorization within applications is being added through a utility called the Authorization Manager.
By default, the system root will be accessible only by the Administrators group. In Windows 2000, the Everyone group had access to the system root.
A VPN quarantine will allow administrators to stop remote users from authenticating if their systems don't adhere to security policies. The quarantine will include downloads and help for users to bring their systems up to organizational standards, so they can log in. Microsoft CIO Rick Devenuti discussed Microsoft's internal deployment of the feature at MEC 2002 in October.
The server operating system will sport a new Microsoft Audit Collection System (MACS). "Today admins have to analyze their security logs on each individual system," Stephenson says. "This tool will allow them to take the logs from all the individual servers in their environment, put it into a centralized database and analyze this information."
Scott Bekker is editor in chief of Redmond Channel Partner magazine.