Microsoft is working on a set of security upgrades for Windows Server 2003 that executives said will deliver on the companys promise to make its products more secure by default and give enterprises more options for locking down servers.
The security capabilities for the companys flagship server operating system are due to be included in Service Pack 1, which is scheduled for release late this year.
Microsoft Corp. historically has used service packs to fix minor bugs and introduce new features.
But as the companys focus on security has become more pervasive throughout the development process, Microsoft has begun using the updates to integrate more security capabilities.
The biggest addition due in SP1 is a technology called server roles that can automatically set up security procedures based on server use.
With templates that define settings for servers, Windows will be able to lock down Web, mail and FTP servers and other boxes, said officials.
For example, if an administrator is setting up a Windows Server 2003 machine as a mail server, the system could automatically close port 80 and turn off IIS (Internet Information Services) to deny Web traffic and open port 25 to SMTP connections.
If the organization needs to change the box into a Web server, the change can be made quickly, and the system can apply the recommended settings for locking down the IIS server.
Microsoft seeks to make it easier for those without substantial security knowledge to secure Windows environments, officials said.
“The number of people who can manage security well is fairly small. We could spend a lot of time training systems administrators on this, but we can do it automatically,” said Scott Charney, chief security strategist at Microsoft, in Redmond, Wash.
In addition to finalizing the new security features in SP1, Microsoft has been working with customers to find ways to extend some of the functionality to enterprises that havent yet migrated to Windows Server 2003.
One idea gaining ground inside the company is the use of virtual machines to set up separate compartments running Windows 2000, or even Windows NT 4.0, and Windows Server 2003 on a single server.
In this scenario, an administrator could run particularly sensitive applications in the Windows Server 2003 environment while continuing to run applications in the other partition.
Server roles and virtual machines receive a warm reception from some users, many of whom have yet to get Windows Server 2003 after spending numerous hours locking down their servers.
“This all sounds very positive, and I think all of it will be useful,” said Patrick Flanagan, network administrator at Phoenix-based CFS Mortgage Corp. “Im particularly in favor of the backward-compatibility features for 2000 and NT, given that a lot of us wont be upgrading any time soon.”
Microsoft officials said they are still deciding what other security functionality will make it into SP1. The most likely candidate is the companys ACI (advanced client inspection) technology, Microsofts Charney said.
This system allows the server to check the security configuration and overall health of any PC that connects to a network and deny it access if it doesnt meet the existing corporate policies, he said.
“Even if we build resilient products, they have to be managed well,” Charney said. He said Microsoft is considering adding a feature to the Windows client that would automatically download and install updated drivers for third-party devices and applications.
By analyzing customer data provided after system failures, Microsoft officials said they have found that conflicts with outdated drivers cause most of the crashes on Windows machines.