Windows Gets Security Boost

All things being relative, IIS 6.0 is less vulnerable in Windows .Net Server.

Although Windows .Net Server Beta 3 is not feature-complete, it is clear from eWeek Labs tests that Microsoft Corp. is acknowledging—and, better yet, working to fix—some of the fundamental security problems in its flagship operating system and Web server.

Windows .Net Server, the follow-on to Windows 2000 Server, is also the first Microsoft operating system to include the .Net Framework by default. This built-in support for Web services, along with existing message queuing and transaction services, makes .Net Server an excellent Windows development platform.

But the most radical change in the beta we tested is in the IIS (Internet Information Services) 6.0 Web server, which ships with the operating system. In a clean installation of Windows .Net Server, IIS 6.0 was far more secure than previous versions.

IIS has long been criticized (rightfully) for installing in a manner that makes the server more vulnerable to attack—that is, IIS installs nearly everything, leaving administrators to uninstall what they dont need and/or what might serve as a hole for worms and viruses.

Microsoft has finally gotten the message that the very opposite process—turning on only what you need—is more secure. "Secure defaults are incredibly important. Thats what we learned," said Thomas Deml, Microsoft lead program manager for security and programmability for IIS.

By default, Version 6.0 of IIS has no enabled add-ons and serves only static HTML pages—minimalism that is critical for secure installations. Requests for other types of content, such as Active Server Pages, returned "Page cannot be found" errors in our tests.

When we first ran the IIS management snap-in, we were asked to complete the IIS 6.0 Security Lockdown Wizard by checking the types of extensions we wanted enabled. The wizard isnt as functional as the one for IIS 4.0 and 5.0, however, lacking support for server usage profiles and Microsofts URL Scan tool. Microsoft officials said they hope to have caught up by the time Windows .Net Server ships, sometime in the first half of next year.

Only administrators doing new installs will reap these rewards. When upgrading, Version 6.0 is configured to enable all the same add-ons that previous versions used. However, the Lockdown Wizard still runs the first time IIS 6.0 is administered, and it prompts IT administrators to disable services.

IIS 6.0s internal design is based on the new httpd.sys, an HTTP server and cache that talks directly to the network stack and runs in kernel mode for improved speed.

Keep it simple

In addition to the changes made to IIS, Microsoft plans to limit the number of open services that are installed by default in Windows. Deml said about 20 more services will likely be disabled by default as of Release Candidate 1. This should limit the number of holes through which intruders can compromise systems based on Windows .Net Server.

Microsoft has also changed the security system in Windows .Net Server so that remote users cannot access a server using accounts with blank passwords, an improvement that should have been made years ago.

On the Active Directory front, domain controllers can now be renamed, as can domains and forests. (However, changing the latter two will require that all domain controllers be Windows .Net Server machines.) This is an important change that will make ongoing directory maintenance easier.

Another interesting feature introduced in this beta is the shadow copy capability. Shadow copy is basically a snapshot backup, which allows applications and users to continue to write to data volumes, even if they are in the middle of a backup process. We could also use a new folder extension tool to restore shadow copies of files.

The shadow copy feature is similar to the snapshot capabilities that ship with backup packages. We feel it is better, though, to run services such as this in the framework of a centralized storage management solution, linking shadow copy services to backup/disaster recovery and storage virtualization services.

Microsoft officials said there will be another substantial round of hardening before RC1 is made available. With its high-volume software model, Microsoft has a special responsibility to ensure that its products are secure out of the box.

Despite the security improvements, Windows .Net is an evolution. So, while the upgrade from Windows NT to Windows 2000 was a revolution—and a difficult undertaking for organizations that had to digest the operating systems many new technologies—the move from Windows 2000 to Windows .Net will be an easier upgrade with fewer architecture overhauls.

eWEEK Labs West Coast Technical Director Timothy Dyck can be reached at [email protected]; Senior Analyst Henry Baltazar can be reached at [email protected]