Microsoft's SP1 for Server 2003 Packs a Security PunchBy Dennis Fisher | Posted 2004-06-14 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The company says its set of upgrades for Windows Server 2003, due to be included in Service Pack 1, will make its products more secure by default and give enterprises more options for locking down servers.Microsoft is working on a set of security upgrades for Windows Server 2003 that executives said will deliver on the company's promise to make its products more secure by default and give enterprises more options for locking down servers.
The security capabilities for the company's flagship server operating system are due to be included in Service Pack 1, which is scheduled for release late this year.
Microsoft Corp. historically has used service packs to fix minor bugs and introduce new features.
With templates that define settings for servers, Windows will be able to lock down Web, mail and FTP servers and other boxes, said officials.
For example, if an administrator is setting up a Windows Server 2003 machine as a mail server, the system could automatically close port 80 and turn off IIS (Internet Information Services) to deny Web traffic and open port 25 to SMTP connections.
If the organization needs to change the box into a Web server, the change can be made quickly, and the system can apply the recommended settings for locking down the IIS server.
Microsoft seeks to make it easier for those without substantial security knowledge to secure Windows environments, officials said.
"The number of people who can manage security well is fairly small. We could spend a lot of time training systems administrators on this, but we can do it automatically," said Scott Charney, chief security strategist at Microsoft, in Redmond, Wash.
Next Page: Extending functionality to enterprises that haven't migrated.
One idea gaining ground inside the company is the use of virtual machines to set up separate compartments running Windows 2000, or even Windows NT 4.0, and Windows Server 2003 on a single server.
In this scenario, an administrator could run particularly sensitive applications in the Windows Server 2003 environment while continuing to run applications in the other partition.
Server roles and virtual machines receive a warm reception from some users, many of whom have yet to get Windows Server 2003 after spending numerous hours locking down their servers.
"This all sounds very positive, and I think all of it will be useful," said Patrick Flanagan, network administrator at Phoenix-based CFS Mortgage Corp. "I'm particularly in favor of the backward-compatibility features for 2000 and NT, given that a lot of us won't be upgrading any time soon."
Microsoft officials said they are still deciding what other security functionality will make it into SP1. The most likely candidate is the company's ACI (advanced client inspection) technology, Microsoft's Charney said.
This system allows the server to check the security configuration and overall health of any PC that connects to a network and deny it access if it doesn't meet the existing corporate policies, he said.
"Even if we build resilient products, they have to be managed well," Charney said. He said Microsoft is considering adding a feature to the Windows client that would automatically download and install updated drivers for third-party devices and applications.
By analyzing customer data provided after system failures, Microsoft officials said they have found that conflicts with outdated drivers cause most of the crashes on Windows machines.