Product: Windows Server 2003 Company: Microsoft Website: http://www.microsoft.com MSRP: See Pricing Review By: Stewart Saathoff

Security

I guess I should start by first emphasizing what Microsoft is trying to accomplish with Windows 2003 Server.  As some of you know, Microsoft has the reputation of being “wide-open” by default.  What do I mean by that?  Well, if one were to analyze Windows 2000, what would be found is a Network Operating System (NOS) that has a few unnecessary, but convenient features installed by default.  Some of those features are IIS, a completely insecure file system, an insecure internet browser and so forth.  I could go on and on, but then you would probably stop reading this out of boredom.

Enter January 2002.  Attention EVERYONE!!!  Bill Gates Speaks!  What does he have to say?  Allow me to sum it up: Our software is insecure.  We need to initiate a new type of computing.  Let’s call it Trustworthy Computing.

So what exactly is Trustworthy Computing?  Well, you can sum it up with a formula that Microsoft has come up with: SD³+C.  Here’s what that formula breaks down into:  Secure by Design, Secure by Default, Secure in Deployment and Communications.

Secure by Design means basically that the Software contains no security vulnerabilities before is ships.  Secure by Default means that there are as few permissions given as possible when a product ships.  Secure in Deployment are all of the measures that are taken to verify that the system stays secure while running on the corporate network.  This entails everything from Detecting breaches to reporting them to taking corrective action.  Communication - This is not necessarily data communication across the network.  The Communication that Microsoft is speaking of is how information about patches and security flaws are sent to customers and how well information about corrective action is understood.

So let’s now look at what $200 Million buys when it comes to security.  Windows 2003 is the first Server product that Microsoft is releasing that will start to show these benefits.

Oh WOW.  What can I say?  The amount of initial security that you see with Windows 2003 is quite… forward.  While navigating through this NOS, you are constantly reminded as to what Microsoft’s main goal is today: SECURITY.  When opening something as simple as Internet Explorer one is bombarded with security warnings and suggestions.

Every time that you install a new service, nothing works and you have to run a wizard that opens up functionality.  That’s right, you heard me, Microsoft has finally closed everything in the box and you have to open it up.  Don’t worry; it’s not as complicated as Linux.  Although everything is closed as tight as can be, the new wizards that accompany the new security architecture are extremely helpful and VERY descriptive as to precisely what you are doing.  In my opinion, they have alleviated most doubt when it comes to which options you should choose when securing your System.  I remember that when I was first attempting to learn the new security features of Windows 2000, I had to reference so many side pieces of literature just to feel more comfortable about what I was doing.  Don’t get me wrong, Windows 2000 was much more pleasant than the complete VOID of information that accompanied Windows NT 4, but after using 2003, you become quite spoiled.

Let’s start with a simple but delightful little new feature called Effective Permissions.  What a wonderful idea!  Effective permissions will summarize what permissions a user has on an object based on all security settings applied to that object’s ACL when the User and all of the Users Group membership settings have applied.  What does all that mean? Well, to summarize, when you go to the properties of an object in Windows 2003, select the Security tab and Click the Advanced button.  You will now see three tabs: Permissions, Owner and Effective Permissions.  The first two are common and have been around for a while.  If you go to the effective permissions tab, you will see that you can select a user or group.  When you select a group or user, Windows will analyze all subsequent groups that object may be nested in and provide you will an exact summary of what the Effective Permissions will be.

TRUSTS

Windows 2003 Server trusts are similar to Windows 2000 trusts.  Like Windows 2000, all domains within a 2003 forest are transitive trusted.  What does that mean?  Let’s say you have three domains in your network: domains A, B and C.  If A trusts B and B trusts C then A trusts C transitively.

A new addition is Forest Trusts.  Forest Trusts are really nice.  Forest trusts allow one forest to trust another transitively.  What are the benefits of that?  Well, with Forest Trusts, you won’t need to establish trusts between every domain in each forest, which could potentially be a spider-web of chaos; and a potentially volatile environment for human error.  Another benefit of Forest Trusts is that if a domain is added at a later point on one domain, no further configuration would be necessary for that domain to access resources in the other forest.  Windows 2003 Forest Trusts are not transitive between forests.  What does that mean?  Well, if Forest 1 trusts Forest 2 and Forest 2 trusts Forest 3, then Forest 1 does not trust Forest 3.

Windows 2003 also comes with a completely rewritten version of IIS.  IIS 6.0 has a bunch of new features that we will discuss in the section of this article dedicated to it.  Windows 2003 also comes with the Common Language Runtime (CLR) built into it.  What is the CLR you ask?  The CLR verifies that software will run without errors and also verifies that software has the appropriate security permissions.  System Policies have also been rewritten and fewer services are running on a default installation of Windows. (19 additional services are disabled!)  Many of the services that are running have had their privileges lowered.

The File System Security has been lowered tremendously so that users can not write data to the root of drives now.  There are also a few new utilities that Microsoft is planning on releasing towards the end of 2003 that will provide Administrators with more control of their network.  For example: MACS.  I don’t mean the fruity kind either.  MACS is an acronym for Microsoft Audit Collection Services.  All that I really know about this utility is that it is supposed to be able to export Security Information to an SQL database through some sort of an encrypted method for easier analysis.  Information can also be gathered from Multiple servers to that one location.  If this is true, this has the potential to be a very useful utility that I have been wanting for a very long time, and I am sure that most of you out there feel the same way.  Imagine:  Not having to look through the stinking Event Log.  I mean I like the event log and the filtering helps, but I would much rather be able to create a custom app that can organize information that is gathered in an SQL database…

Speaking of Auditing, let’s look into more auditing enhancements to Windows 2003 Server.  We’ll start with Operation-Based Auditing.  Windows 2003 Server supports a new type of auditing that not only tells you who accessed what file, but also what they did to the file once they accessed it.  Per-User Selective Auditing is another enhancement.  You can now audit the events of a specific user rather than simply system-level auditing. (I assume that you can audit groups as well.)

What about File Encryption?  Remember 2000’s implementation?  If one were to encrypt a file in 2000, that individual would be the only one that could access it.  I remember teaching classes on that subject and almost every student had the same complaint. “Why can’t Microsoft allow more than one user to be able to access an encrypted file?”  Well, that has been answered with 2003 Server.  2003 supports Multi-User Encryption of files.  Also, Offline Folders can now be encrypted in their offline state.

Here is a summary of Policy Changes mentioned earlier: (These were taken straight from a Microsoft Whitepaper on the subject.)

Policy Changes to Tighten Security by Default

• Created Secure Root ACL.

  • Stronger ACL to stop access to root directory (c:\).

• Changed default share ACL from Everyone:F to Everyone:R.

• Changed DLL Search Order to start in system directory.

• Hardened Internet Explorer.

• Increased restrictions on Anonymous users.

  • Anonymous users are no longer members of “Everyone” by default.

  • Disabled Anonymous SID\Name translation on servers; this is NOT the default on Domain Controllers.

• Put limits on blank passwords.

  • Local accounts that have blank passwords cannot be used to remotely connect to a machine.

• Set LanManCompatibilityLevel=2 on Servers\DCs by default.

  • By default Windows Sever 2003 will not emit insecure LanMan responses.

• Required SMB Packet signing on DCs.

  • Provides integrity checking for client-DC SMB communications.

• Required that secure channel communications be signed or encrypted.

• Modified LDAP Signing.

  • Affects the wldap32.dll LDAP bind initialization sequence so that signing is requested even if the client doesn’t ask for it. This doesn’t kick in if TLS\SSL is used.

• Object Case Insensitivity

  • Protects against canonicalization type attacks.

• Stopped allowed paths leakage.

  • Eliminates unnecessary information disclosure pertaining to system config.

• Restricted remote execution of console apps to admins only.

  • Defense in depth.

• Improved auditing for Domain Controllers.

• Improved convert story.

  • Proper coverage for profile directory and optional components.

  • Fixed Profile Directory issues.

Services Turned Off by Default

• IIS not installed by default

• Alerter

• Clipbook

• Distributed Link Tracking Server

• Human Interface Device Access

• Imapi CDROM Burning Service

• ICF\ICS

• Intersite Messenging

• License Logging

• Messenger

• NetMeeting Remote Desktop Sharing

• Network DDE

• Network DDE DSDM

• Routing and Remote Access

• Telnet

• Terminal Service Session Discovery

• Themes

• WebClient

• Windows Image Acquisition (WIA)

• The Kerberos KDC is also disabled by default, and then automatically enabled upon DCPromo.