The preventative focus on secure installations in the upcoming Windows .Net Server is visible right from almost the first click on the installer. When we did an upgrade test on a Windows 2000 Server system to Windows .Net Server Release Candidate 1, the installer noticed that the IIS (Internet Information Services) Lockdown Wizard had not been run on the machine and so automatically disabled IIS itself as part of the upgrade process (see review).
Terrific! This single action alone is a great advance for Internet security, as out-of-the-box or otherwise poorly maintained IIS installations were the reason the Code ver. 2 worm was able to infect more than 350,000 servers last year (see www.eweek.com/links).
Unfortunately, when we loaded IIS management tool after the upgrade and restarted the Web site, the tool re-enabled the server and made no further mention of the Lockdown Wizard. It should run automatically and apply its settings before the Web server is re-enabled, particularly since the many default Web server extensions installed by Windows 2000 are left enabled in an upgrade to .Net Server.
On a new .Net Server installation, IIS, the Windows FTP server and the SMTP server are not installed by default. In addition, all IIS extensions except those we enabled during the IIS installation process are disabled through a version of the Lockdown Tool now integrated with the IIS admin tool. This is a big security step forward for new IIS setups.
Simple things such as password security are also improved. When doing a new install (not an upgrade), the installer checked our Administrator password and required us to OK passwords that didnt meet basic complexity guidelines. In comparison, Windows 2000 Server blithely lets an administrator click the Next button through the installation, leaving the Administrator password blank.
After installation, we were prompted to configure the automatic updates agent in .Net Server: The default behavior for the agent is to automatically download updates but not apply them.
As with Windows XP, .Net Server has a built-in simple firewall (in addition to the IP Security support in Windows 2000) that can also be used to filter Internet traffic. The firewall is not enabled by default and simply blocks all incoming traffic not sent in response to traffic that originated on the server. The IPSec firewall features do not track the connection state but do allow outgoing traffic to be filtered as well as incoming traffic.