Feeds

Windows Server 2003 – Secure by Default

MS delivers

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Opinion With Windows Server 2003, Microsoft has finally produced an operating system that isn't begging to be hacked on the first boot, writes SecurityFocus columnist Tim Mullen.

One of the biggest criticisms of Windows 2000 was its "everything on" default installation state. For a consumer operating system, it made sense: people wanted specific functionality, and Microsoft provided it for them. For example, IIS installation was enabled by default with all possible mappings and sub-services enabled.

The problem was that no one really needed Internet Printing services enabled by default. Few needed IDQ mapped to the Index Server ISAPI extensions. And production environments certainly didn't need sample files and code examples loaded and reachable by anonymous users.

The thought was that if you didn't need a service or application, then you would go and turn it off or uninstall it.

Microsoft is not alone in this folly. Solaris, for instance, also turns on many potentially unneeded services by default. I attended Jay Beale's "Securing Solaris" Blackhat training session (in disguise, of course) and was surprised by the amount of work one had to go through to turn off all the services you really didn't need.

The problem is that many people don't actually go back and turn things off -- particularly when Windows is involved. Code Red infections are testament to this.

But I can relate to the mindset. When I first became interested in Linux, I purchased Red Hat and went on a binge to explore everything. And I mean everything. I did a complete installation. Why? Because I had no idea of what I was doing, and I didn't want to miss out on something. I didn't want to lose the opportunity of checking out something cool.

I'm sure many others feel the same way, and that is why Microsoft thought they would save people the trouble of going back and loading applications by installing the "popular" ones by default. But when it comes to security, offering up unneeded (and many times unknown) services by default has proved to be a poor practice.

With last Thursday's product launch of Windows Server 2003, (the operating system formerly known as ".NET") this has all changed. The install is actually a bit anticlimactic -- you boot, install the operating system, and are left with a bare-bones, minimal-service installation. No bells, no whistles. IIS does not install, and even after you install it by invoking the "role wizard," you are left with minimal Web server functionality.

If you want something, you've got to install it yourself. When you install Terminal Services, users are automatically severely limited in what actions they can take within a TS session. And thanks to the Internet Explorer Enhanced Security Configuration, you can't even browse the Web from the server without making explicit configuration changes.

This is what many of us have been waiting for, and it is great to see Microsoft deliver. They even coordinated the product launch with a comprehensive "Windows Sever 2003 Security Guide" and an XP/Win2k3 "Threats and Countermeasures" companion, immediately providing security configuration information to their customers.

Thank You For Being Ripped Off By AT&T...

The concept of "security by default" is beginning to permeate the culture of mainstream technologies. Hopefully, other business environments will follow suit.

For instance, AT&T customers have been in the news lately as victims of long distance service theft. People with poor security on their voicemail systems have had their announcement message changed to declare that long distance calls can be placed against the account. In one reported case, a customer was being held accountable for over $8,000 dollars in international charges to Saudi Arabia and other countries. An AT&T spokesman was quoted as saying that "it is the responsibility of the customer to secure their voicemail system"

If AT&T tried to make me pay a bill like that, I'll tell them to go piss up a rope.

AT&T's default security of their product is insecure. Yes, it may be my fault that someone could change my announcement message, but it is AT&T's fault that their policy allows automated, un-authenticated charges to be placed on someone's account by merit of a voicemail message. The reality is that few companies really need to allow such charges to be made. The secure stance would be to require a company to "register" for such a service, not to allow it by default. Aggravating the issue is the fact that AT&T expects its customers to pay for its own mistakes.

And that is something that customers are not willing to put up with any longer. Microsoft deserves kudos for Win2k3's security posture, and "secure by default" is an standard every business should strive for, no matter what they're selling.

© SecurityFocus logo

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.