Security Updates on Tap for Server 2003

 
 
By Dennis Fisher  |  Posted 2004-04-09
 
 
 

Even as it puts finishing touches on major security upgrades for Windows XP due later this spring, Microsoft Corp. is preparing a similarly extensive set of security improvements for Windows Server 2003.

The updates, a continuation of the Redmond, Wash., companys efforts to enhance the security and reliability of its products, will give Windows Server 2003 administrators tighter control over which machines can connect to their networks and how those PCs behave once connected, according to officials.

One of the biggest modifications expected for the server operating system is a system known as ACI (Advanced Client Inspection), which checks the health of PCs attempting to connect to a network. The system is similar to Cisco Systems Inc.s Network Admission Control project but is done strictly through Windows.

When a client machine tries to log on to a network, Windows Server 2003 checks the security posture of the PC and compares it against a predetermined corporate policy. If the clients configurations do not match the policy, the machine can be shunted into a special section of the network until it is made compliant.

Customers say the new features have much potential for simplifying their jobs. "I love the idea of checking the security level of a machine before allowing access," said Jeanine Schwartz, network administrator at Bennetts Business Systems Inc., based in Jacksonville, Fla. "By employing that kind of security, it could give hackers another hurdle."

Microsoft plans to ship a set of security policy templates for ACI, but customers can design their own as well. The system also will allow administrators to set group policies for departments that have differing security requirements.

"The notion of one size fitting all in terms of security just isnt the case," said Mike Nash, vice president of the Security and Technology Business Unit at Microsoft, in an interview during the Microsoft Security Summit here last week. "This gives customers the ability to change the requirements dynamically."

How this technology is going to be delivered to customers is still up in the air, Nash said. Nearly all the processing work is done on the server side, and the client machines require only a small agent on their end. While Microsoft plans to release a service pack for Windows Server 2003 in the second half of this year, its unclear whether ACI will be included in that or delivered in some other form, Nash said.

Meanwhile, Microsoft is also at work on an advanced application-level firewall capable of performing deep inspection of application traffic for attacks and other anomalies. This technology, along with some behavior-blocking and intrusion prevention features, is part of a second set of security tools that the company has planned for Windows XP but that likely wont be ready in time for SP2 (Server Pack 2), which is in beta.

Nash said SP2 will include a tool that gives customers the ability to specify which wireless LANs users are allowed to connect to, thereby eliminating the risk that can arise from connecting to unknown and potentially hostile networks.

Check out eWEEK.coms Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis.
Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page:  

Rocket Fuel