I guess I should start by first emphasizing what Microsoft is trying to accomplish with Windows 2003 Server. As some of you know, Microsoft has the reputation of being “wide-open” by default. What do I mean by that? Well, if one were to analyze Windows 2000, what would be found is a Network Operating System (NOS) that has a few unnecessary, but convenient features installed by default. Some of those features are IIS, a completely insecure file system, an insecure internet browser and so forth. I could go on and on, but then you would probably stop reading this out of boredom.
Enter January 2002. Attention EVERYONE!!! Bill Gates Speaks! What does he have to say? Allow me to sum it up: Our software is insecure. We need to initiate a new type of computing. Let’s call it Trustworthy Computing.
So what exactly is Trustworthy Computing? Well, you can sum it up with a formula that Microsoft has come up with: SD3+C. Here’s what that formula breaks down into: Secure by Design, Secure by Default, Secure in Deployment and Communications.
Secure by Design means basically that the Software contains no security vulnerabilities before is ships. Secure by Default means that there are as few permissions given as possible when a product ships. Secure in Deployment are all of the measures that are taken to verify that the system stays secure while running on the corporate network. This entails everything from Detecting breaches to reporting them to taking corrective action. Communication - This is not necessarily data communication across the network. The Communication that Microsoft is speaking of is how information about patches and security flaws are sent to customers and how well information about corrective action is understood.
So let’s now look at what $200 Million buys when it comes to security. Windows 2003 is the first Server product that Microsoft is releasing that will start to show these benefits.
Oh WOW. What can I say? The amount of initial security that you see with Windows 2003 is quite… forward. While navigating through this NOS, you are constantly reminded as to what Microsoft’s main goal is today: SECURITY. When opening something as simple as Internet Explorer one is bombarded with security warnings and suggestions.
Let’s start with a simple but delightful little new feature called Effective Permissions. What a wonderful idea! Effective permissions will summarize what permissions a user has on an object based on all security settings applied to that object’s ACL when the User and all of the Users Group membership settings have applied. What does all that mean? Well, to summarize, when you go to the properties of an object in Windows 2003, select the Security tab and Click the Advanced button. You will now see three tabs: Permissions, Owner and Effective Permissions. The first two are common and have been around for a while. If you go to the effective permissions tab, you will see that you can select a user or group. When you select a group or user, Windows will analyze all subsequent groups that object may be nested in and provide you will an exact summary of what the Effective Permissions will be.
Windows 2003 Server trusts are similar to Windows 2000 trusts. Like Windows 2000, all domains within a 2003 forest are transitive trusted. What does that mean? Let’s say you have three domains in your network: domains A, B and C. If A trusts B and B trusts C then A trusts C transitively.
A new addition is Forest Trusts. Forest Trusts are really nice. Forest trusts allow one forest to trust another transitively. What are the benefits of that? Well, with Forest Trusts, you won’t need to establish trusts between every domain in each forest, which could potentially be a spider-web of chaos; and a potentially volatile environment for human error. Another benefit of Forest Trusts is that if a domain is added at a later point on one domain, no further configuration would be necessary for that domain to access resources in the other forest. Windows 2003 Forest Trusts are not transitive between forests. What does that mean? Well, if Forest 1 trusts Forest 2 and Forest 2 trusts Forest 3, then Forest 1 does not trust Forest 3.
Windows 2003 also comes with a completely rewritten version of IIS. IIS 6.0 has a bunch of new features that we will discuss in the section of this article dedicated to it. Windows 2003 also comes with the Common Language Runtime (CLR) built into it. What is the CLR you ask? The CLR verifies that software will run without errors and also verifies that software has the appropriate security permissions. System Policies have also been rewritten and fewer services are running on a default installation of Windows. (19 additional services are disabled!) Many of the services that are running have had their privileges lowered.
The File System Security has been lowered tremendously so that users can not write data to the root of drives now. There are also a few new utilities that Microsoft is planning on releasing towards the end of 2003 that will provide Administrators with more control of their network. For example: MACS. I don’t mean the fruity kind either. MACS is an acronym for Microsoft Audit Collection Services. All that I really know about this utility is that it is supposed to be able to export Security Information to an SQL database through some sort of an encrypted method for easier analysis. Information can also be gathered from Multiple servers to that one location. If this is true, this has the potential to be a very useful utility that I have been wanting for a very long time, and I am sure that most of you out there feel the same way. Imagine: Not having to look through the stinking Event Log. I mean I like the event log and the filtering helps, but I would much rather be able to create a custom app that can organize information that is gathered in an SQL database…
Speaking of Auditing, let’s look into more auditing enhancements to Windows 2003 Server. We’ll start with Operation-Based Auditing. Windows 2003 Server supports a new type of auditing that not only tells you who accessed what file, but also what they did to the file once they accessed it. Per-User Selective Auditing is another enhancement. You can now audit the events of a specific user rather than simply system-level auditing. (I assume that you can audit groups as well.)
What about File Encryption? Remember 2000’s implementation? If one were to encrypt a file in 2000, that individual would be the only one that could access it. I remember teaching classes on that subject and almost every student had the same complaint. “Why can’t Microsoft allow more than one user to be able to access an encrypted file?” Well, that has been answered with 2003 Server. 2003 supports Multi-User Encryption of files. Also, Offline Folders can now be encrypted in their offline state.
Here is a summary of Policy Changes mentioned earlier: (These were taken straight from a Microsoft Whitepaper on the subject.)