This promises to be a big year for Microsoft. It started
2007 with the consumer roll-out of its new client operating system,
and it will see the year out by shipping the long-awaited
Windows 2008 Server.
With security at the top of the agenda, users will be eager to
see how watertight the system really is. Microsoft has already had
a chance to refine its security technologies by including key
security components in Vista, many of which have made their way
into the server's code.
However, Vista has
been criticised by some security experts for issues such as its
handling of user privileges and its apparently interminable
security alerts. When Windows Server 2008 finally ships, will it
fare any better?
According to online reviews and some analysts, the signs are
good. Rob Enderle, founder of analyst firm the Enderle Group, says
that his contacts in Microsoft's
Community Technology Preview programme have been so impressed
with the new features that they have begun deploying the beta
version already.
"It is the almost exact opposite of the reception that Vista
got. With that, you could not find anyone to deploy it," Enderle
says.
Microsoft UK's Windows server product manager, Gareth Hall,
breaks down the security enhancements in Server 2008 into two main
categories: direct server security and features that extend
security across the rest of the company.
Streamlined installation
The first category includes Server Core, an installation option
stemming from work that Microsoft did to make its operating system
code more modular. As part of the development process for Windows
Server 2008, a lot of work was put into separating the operating
system into components. "That lets us understand dependencies and
strip out big chunks of code," says Hall.
The result of this is an installation option in which many
features are not just disabled, but excluded from the code base
altogether, stripping about 65% of the code out of the system and
limiting its exposure to attack.
Services such as the ASP.net Framework, Internet Explorer and
Media Player can be removed, leaving a system configured for
specific, limited roles such as file and print serving or domain
name and domain controlling. Administrators will need to install
the full operating system to turn the system into a proper
application server.
This concentration on configuring the server for different roles
also affects the host-based firewall, which for the first time is
turned on in the server operating system by default. The built-in
firewall, unlike Microsoft's application-level ISA Server firewall,
blocks traffic at the port level according to the role that the
administrator defines for it.
"When you add a role it also opens up the necessary firewall
ports," says Hall. "In the past, many users may have just switched
on the function and opened up the whole firewall because that was
regarded as the quick and easy way of doing security. This is a
great way to ensure that Windows opens up just the stuff that you
need to open up."
Microsoft has merged the administration of the firewall and the
IP security protocol into a single panel for the Microsoft
Management Console, which Hall hopes will make it easier to
configure the two.
The firewall can be programmed to automatically check the
integrity of incoming traffic by using IP security if that traffic
comes from a Vista or Windows Server 2008 system. "This means that
even for someone to talk to a server or client, before you can send
a packet you need to authenticate first," Hall says.
Administrator skills gap?
In spite of the streamlined interface, there may be some poorly
trained administrators who will not be able to configure the
firewall properly. This might become a problem, particularly when
using applications not specifically designed with a host-based
firewall in mind, because their functions could be crippled if they
try to operate over ports that have been closed down by
default.
"An easy-to-use enterprise firewall in the SME market is a
natural oxymoron," says Enderle. "Typically, what defines an SME is
that it does not have a professional IT infrastructure."
Nevertheless, it is still probably going to be easier to use the
firewall system in Server 2008 than the firewalls that
administrators have grappled with in the past, Enderle says. And if
all else fails, that management and configuration overhead can be
passed on to a third-party to deal with.
Microsoft has been working on a Windows 2008 logo programme to
help smooth the path for independent software suppliers that need
to test their applications to work with the new configuration.
"Previous 'certified for Windows'-type programmes were
challenging," Hall says, noting that the company has altered the
Windows Server 2008 compliance scheme to make it easier and faster
for independent software suppliers to get their applications
certified.
That compliance programme will also be an important resource for
suppliers of legacy code that want to upgrade their products to
take advantage of the more secure operating system. Microsoft has
made it possible to reduce the privilege level of individual
services, meaning that applications can use service accounts that
do not have to run at administrator level.
However, legacy code may not always work well with less
privileged users, especially when developers code in administrator
mode themselves. Enderle says that applications unable to take
advantage of this could present opportunities for attackers.
"Window Server 2008 does have the ability to run code designed for
older servers, but that code could be compromised when it does," he
says.
One way around this will be to run a virtualised server,
sandboxing those legacy applications so that they do not damage the
rest of the system if they are compromised.
However, Microsoft is behind the rest of the market on
hypervisor platforms,
and will not be ready with its Virtualisation Server product when
Server 2008 launches. A beta version included at launch will be
replaced by a final version 180 days after Server 2008 hits the
shelves.
Infrastructure changes
All of these security measures directly affect the security of
the server, but others focus on locking down other parts of the
infrastructure. The big development here is Network Access
Protection (Nap), which is Microsoft's version of the client
compliance technologies now sold by other companies such as Cisco
and Symantec.
The concept is to use Windows Server to check the security
status of the client. An enforcement server bundled with the
operating system queries the client when it tries to connect,
checks for the existence of anti-virus and anti-spyware software
and monitors the timeliness of the anti-virus signatures. Other
client conditions including software and operating system patches
can also be checked.
The enforcement server gets a statement of health from an agent
on the client machine, which it then feeds to a policy server. The
policy server then makes decisions about how much access to grant
to the client depending on its condition.
The process can be conducted several ways: whenever a Dynamic
Host Configuration Protocol (DHCP) request is made (although this
is not advisable, because clients could use a static address), via
a compatible
IEEE 802.1X-enabled
access point, or via a virtual private network. The most secure,
says Hall, is the IPSec-based enforcement system using an
IPSec-based certificate of health downloaded to the client.
Bridging the gaps
The system will be compliant both with Cisco's own
network-access control (Nac) standard and also with the Trusted
Computing Group's trusted network connect protocol, which Cisco
does not support. Microsoft will, therefore, become the default
bridge between Cisco and everyone else.
This is not the insular Microsoft that most people will remember
from the 1990s, says Enderle. "This is old Microsoft. They bridged
suppliers in the early years and then they forgot it in the 1990s.
They seem to be remembering that now, and they seem to be being
rewarded," he says.
Security firms such as Symantec, whose territory Microsoft is
increasingly encroaching on with its move into security products
and services, are prepared to support its efforts. "Our goal is to
get into as many networks as possible in as unintrusive a manner as
we can," says Rich Langston, senior product manager for network
access control at Symantec. "We will support the Nap protocol once
Server 2008 ships."
But not everyone is convinced that these client compliance
measures will result in widespread adoption. Users have expressed
concerns about the readiness of the technology and the concept's
underlying ease of use.
Mike Cherry, analyst at research firm Directions on Microsoft,
worries that the interoperability is potentially dangerous. "At
this point, all the engineers are talking and everything is fine.
Let's say we have a mix of gear from Microsoft, Cisco and Symantec.
When I have a problem, who do I call? And are they going to work
together?" he says.
Cherry says that the gloves may come off when the concept starts
to sell. "They can all talk nice. But if they start losing share
from each other, it is going to be interesting to see what happens
then."
Dan Clark, vice-president of marketing at network access control
technology supplier Lockdown Networks, warns that users should
tread softly with Nap, as with any other client compliance
system.
Lockdown provides agentless technology that conducts client
health checks from within the network. It has built Nap compliance
into its products, hoping that users will use it to complement Nap
for conducting health checks on non-Microsoft equipment. Microsoft
is only providing a Nap client-side agent for Vista and XP SP2.
Clark says that it is important to get networking and security
teams working closely together before designing client compliance
systems, because the two disciplines converge closely and the
actions of one team will affect the other.
"The smart thing to do is to define policies and go into
non-enforcement mode where you are checking and reporting on what
would happen, but where you do not enforce," Clark says. "That way
you can scope its impact, and then have graceful turn-on."
Graceful is a good term for the security features in Windows
Server 2008. It harbours an elegantly designed set of security
mechanisms that will go at least some of the way towards helping in
the battle against the hackers.
Windows Server 2008 TechCenter >>
Nap will not speed
adoption, say users >>
Read more on
Microsoft >>