Windows Server 2003 – Secure by Default
Opinion With Windows Server 2003, Microsoft has finally produced an operating system that isn't begging to be hacked on the first boot, writes SecurityFocus columnist Tim Mullen.
One of the biggest criticisms of Windows 2000 was its "everything on" default installation state. For a consumer operating system, it made sense: people wanted specific functionality, and Microsoft provided it for them. For example, IIS installation was enabled by default with all possible mappings and sub-services enabled.
The problem was that no one really needed Internet Printing services enabled by default. Few needed IDQ mapped to the Index Server ISAPI extensions. And production environments certainly didn't need sample files and code examples loaded and reachable by anonymous users.
The thought was that if you didn't need a service or application, then you would go and turn it off or uninstall it.
Microsoft is not alone in this folly. Solaris, for instance, also turns on many potentially unneeded services by default. I attended Jay Beale's "Securing Solaris" Blackhat training session (in disguise, of course) and was surprised by the amount of work one had to go through to turn off all the services you really didn't need.
The problem is that many people don't actually go back and turn things off -- particularly when Windows is involved. Code Red infections are testament to this.
But I can relate to the mindset. When I first became interested in Linux, I purchased Red Hat and went on a binge to explore everything. And I mean everything. I did a complete installation. Why? Because I had no idea of what I was doing, and I didn't want to miss out on something. I didn't want to lose the opportunity of checking out something cool.
I'm sure many others feel the same way, and that is why Microsoft thought they would save people the trouble of going back and loading applications by installing the "popular" ones by default. But when it comes to security, offering up unneeded (and many times unknown) services by default has proved to be a poor practice.
With last Thursday's product launch of Windows Server 2003, (the operating system formerly known as ".NET") this has all changed. The install is actually a bit anticlimactic -- you boot, install the operating system, and are left with a bare-bones, minimal-service installation. No bells, no whistles. IIS does not install, and even after you install it by invoking the "role wizard," you are left with minimal Web server functionality.
If you want something, you've got to install it yourself. When you install Terminal Services, users are automatically severely limited in what actions they can take within a TS session. And thanks to the Internet Explorer Enhanced Security Configuration, you can't even browse the Web from the server without making explicit configuration changes.
This is what many of us have been waiting for, and it is great to see Microsoft deliver. They even coordinated the product launch with a comprehensive "Windows Sever 2003 Security Guide" and an XP/Win2k3 "Threats and Countermeasures" companion, immediately providing security configuration information to their customers.
Thank You For Being Ripped Off By AT&T...
The concept of "security by default" is beginning to permeate the culture of mainstream technologies. Hopefully, other business environments will follow suit.
For instance, AT&T customers have been in the news lately as victims of long distance service theft. People with poor security on their voicemail systems have had their announcement message changed to declare that long distance calls can be placed against the account. In one reported case, a customer was being held accountable for over $8,000 dollars in international charges to Saudi Arabia and other countries. An AT&T spokesman was quoted as saying that "it is the responsibility of the customer to secure their voicemail system"
If AT&T tried to make me pay a bill like that, I'll tell them to go piss up a rope.
AT&T's default security of their product is insecure. Yes, it may be my fault that someone could change my announcement message, but it is AT&T's fault that their policy allows automated, un-authenticated charges to be placed on someone's account by merit of a voicemail message. The reality is that few companies really need to allow such charges to be made. The secure stance would be to require a company to "register" for such a service, not to allow it by default. Aggravating the issue is the fact that AT&T expects its customers to pay for its own mistakes.
And that is something that customers are not willing to put up with any longer. Microsoft deserves kudos for Win2k3's security posture, and "secure by default" is an standard every business should strive for, no matter what they're selling.
Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.