Server 2008 beta to improve security, say analysts

This promises to be a big year for Microsoft. It started 2007 with the consumer roll-out of its new client operating system, and it will see the year out by shipping the long-awaited Windows 2008 Server.

This promises to be a big year for Microsoft. It started 2007 with the consumer roll-out of its new client operating system, and it will see the year out by shipping the long-awaited Windows 2008 Server.

With security at the top of the agenda, users will be eager to see how watertight the system really is. Microsoft has already had a chance to refine its security technologies by including key security components in Vista, many of which have made their way into the server's code.

However, Vista has been criticised by some security experts for issues such as its handling of user privileges and its apparently interminable security alerts. When Windows Server 2008 finally ships, will it fare any better?

According to online reviews and some analysts, the signs are good. Rob Enderle, founder of analyst firm the Enderle Group, says that his contacts in Microsoft's Community Technology Preview programme have been so impressed with the new features that they have begun deploying the beta version already.

"It is the almost exact opposite of the reception that Vista got. With that, you could not find anyone to deploy it," Enderle says.

Microsoft UK's Windows server product manager, Gareth Hall, breaks down the security enhancements in Server 2008 into two main categories: direct server security and features that extend security across the rest of the company.

Streamlined installation

The first category includes Server Core, an installation option stemming from work that Microsoft did to make its operating system code more modular. As part of the development process for Windows Server 2008, a lot of work was put into separating the operating system into components. "That lets us understand dependencies and strip out big chunks of code," says Hall.

The result of this is an installation option in which many features are not just disabled, but excluded from the code base altogether, stripping about 65% of the code out of the system and limiting its exposure to attack.

Services such as the Framework, Internet Explorer and Media Player can be removed, leaving a system configured for specific, limited roles such as file and print serving or domain name and domain controlling. Administrators will need to install the full operating system to turn the system into a proper application server.

This concentration on configuring the server for different roles also affects the host-based firewall, which for the first time is turned on in the server operating system by default. The built-in firewall, unlike Microsoft's application-level ISA Server firewall, blocks traffic at the port level according to the role that the administrator defines for it.

"When you add a role it also opens up the necessary firewall ports," says Hall. "In the past, many users may have just switched on the function and opened up the whole firewall because that was regarded as the quick and easy way of doing security. This is a great way to ensure that Windows opens up just the stuff that you need to open up."

Microsoft has merged the administration of the firewall and the IP security protocol into a single panel for the Microsoft Management Console, which Hall hopes will make it easier to configure the two.

The firewall can be programmed to automatically check the integrity of incoming traffic by using IP security if that traffic comes from a Vista or Windows Server 2008 system. "This means that even for someone to talk to a server or client, before you can send a packet you need to authenticate first," Hall says.

Administrator skills gap?

In spite of the streamlined interface, there may be some poorly trained administrators who will not be able to configure the firewall properly. This might become a problem, particularly when using applications not specifically designed with a host-based firewall in mind, because their functions could be crippled if they try to operate over ports that have been closed down by default.

"An easy-to-use enterprise firewall in the SME market is a natural oxymoron," says Enderle. "Typically, what defines an SME is that it does not have a professional IT infrastructure."

Nevertheless, it is still probably going to be easier to use the firewall system in Server 2008 than the firewalls that administrators have grappled with in the past, Enderle says. And if all else fails, that management and configuration overhead can be passed on to a third-party to deal with.

Microsoft has been working on a Windows 2008 logo programme to help smooth the path for independent software suppliers that need to test their applications to work with the new configuration.

"Previous 'certified for Windows'-type programmes were challenging," Hall says, noting that the company has altered the Windows Server 2008 compliance scheme to make it easier and faster for independent software suppliers to get their applications certified.

That compliance programme will also be an important resource for suppliers of legacy code that want to upgrade their products to take advantage of the more secure operating system. Microsoft has made it possible to reduce the privilege level of individual services, meaning that applications can use service accounts that do not have to run at administrator level.

However, legacy code may not always work well with less privileged users, especially when developers code in administrator mode themselves. Enderle says that applications unable to take advantage of this could present opportunities for attackers. "Window Server 2008 does have the ability to run code designed for older servers, but that code could be compromised when it does," he says.

One way around this will be to run a virtualised server, sandboxing those legacy applications so that they do not damage the rest of the system if they are compromised.

However, Microsoft is behind the rest of the market on hypervisor platforms, and will not be ready with its Virtualisation Server product when Server 2008 launches. A beta version included at launch will be replaced by a final version 180 days after Server 2008 hits the shelves.

Infrastructure changes

All of these security measures directly affect the security of the server, but others focus on locking down other parts of the infrastructure. The big development here is Network Access Protection (Nap), which is Microsoft's version of the client compliance technologies now sold by other companies such as Cisco and Symantec.

The concept is to use Windows Server to check the security status of the client. An enforcement server bundled with the operating system queries the client when it tries to connect, checks for the existence of anti-virus and anti-spyware software and monitors the timeliness of the anti-virus signatures. Other client conditions including software and operating system patches can also be checked.

The enforcement server gets a statement of health from an agent on the client machine, which it then feeds to a policy server. The policy server then makes decisions about how much access to grant to the client depending on its condition.

The process can be conducted several ways: whenever a Dynamic Host Configuration Protocol (DHCP) request is made (although this is not advisable, because clients could use a static address), via a compatible IEEE 802.1X-enabled access point, or via a virtual private network. The most secure, says Hall, is the IPSec-based enforcement system using an IPSec-based certificate of health downloaded to the client.

Bridging the gaps

The system will be compliant both with Cisco's own network-access control (Nac) standard and also with the Trusted Computing Group's trusted network connect protocol, which Cisco does not support. Microsoft will, therefore, become the default bridge between Cisco and everyone else.

This is not the insular Microsoft that most people will remember from the 1990s, says Enderle. "This is old Microsoft. They bridged suppliers in the early years and then they forgot it in the 1990s. They seem to be remembering that now, and they seem to be being rewarded," he says.

Security firms such as Symantec, whose territory Microsoft is increasingly encroaching on with its move into security products and services, are prepared to support its efforts. "Our goal is to get into as many networks as possible in as unintrusive a manner as we can," says Rich Langston, senior product manager for network access control at Symantec. "We will support the Nap protocol once Server 2008 ships."

But not everyone is convinced that these client compliance measures will result in widespread adoption. Users have expressed concerns about the readiness of the technology and the concept's underlying ease of use.

Mike Cherry, analyst at research firm Directions on Microsoft, worries that the interoperability is potentially dangerous. "At this point, all the engineers are talking and everything is fine. Let's say we have a mix of gear from Microsoft, Cisco and Symantec. When I have a problem, who do I call? And are they going to work together?" he says.

Cherry says that the gloves may come off when the concept starts to sell. "They can all talk nice. But if they start losing share from each other, it is going to be interesting to see what happens then."

Dan Clark, vice-president of marketing at network access control technology supplier Lockdown Networks, warns that users should tread softly with Nap, as with any other client compliance system.

Lockdown provides agentless technology that conducts client health checks from within the network. It has built Nap compliance into its products, hoping that users will use it to complement Nap for conducting health checks on non-Microsoft equipment. Microsoft is only providing a Nap client-side agent for Vista and XP SP2.

Clark says that it is important to get networking and security teams working closely together before designing client compliance systems, because the two disciplines converge closely and the actions of one team will affect the other.

"The smart thing to do is to define policies and go into non-enforcement mode where you are checking and reporting on what would happen, but where you do not enforce," Clark says. "That way you can scope its impact, and then have graceful turn-on."

Graceful is a good term for the security features in Windows Server 2008. It harbours an elegantly designed set of security mechanisms that will go at least some of the way towards helping in the battle against the hackers.

Windows Server 2008 TechCenter >>

Nap will not speed adoption, say users >>

Read more on Microsoft >>

Read more on IT risk management