Based on what we have seen in Windows .Net Beta 3, Microsoft is trying to make its flagship operating system more secure, but it needs to make more changes. Fundamentally, Microsoft may need to sacrifice some usability to get Windows security where it should be.
In talks with Microsofts IIS team, we learned that they were creating lock-down tools to give IT managers an easy way to harden Web servers. However, as we have seen again and again, IT managers dont always take the steps required to protect servers from known flaws.
Microsoft can try to wash its hands of these security flaws by blaming IT managers who dont patch their servers immediately when fixes are published to the Web, but I feel the company has an obligation to ship operating systems that have tightened security by default.
During a default installation, Windows .Net allows you to create administrator accounts with blank passwords. If Microsofts masterminds can put such an effort into creating wizard-based interfaces for signing up for MSN, why couldnt they create a simple wizard to help IT managers create and set up secure passwords?
Blank passwords are nice from an ease-of-use standpoint, but they trivialize security. In the new Windows .Net beta, Microsoft tries to harden security by preventing users from accessing servers remotely using blank passwords, but in tests at eWeek Labs, we found that this block doesnt apply to the administrator account. (For Labs review of Windows .Net Beta 3, go to www.eweek.com/links.)
Microsoft could tighten security by limiting the number of services that are initiated automatically in default installations. It is hesitant to do this because it is afraid that application compatibility will suffer. (Applications sometimes abort installation when a required Windows service is missing or not running.) Id rather spend a couple of minutes adding a service before installing an application than have an unnecessary service running on my servers.
Usability is important in all operating systems, but in the grand scheme of things, security and reliability should be ranked far ahead.
Senior Analyst Henry Baltazar can be reached at firstname.lastname@example.org.