Arrival of Windows Server 2003 Heralds New Era for Software Security
April 14, 2003
Windows Server 2003 is the first new operating system from Microsoft since the company took on the challenge of its Trustworthy Computing initiative.

REDMOND, Wash., April 14, 2003 — For countless people and businesses around the world, the Internet is a dream come true, but at times that dream has nearly become a nightmare. Along with the benefits of instant global communication and increased connectivity, new security risks have emerged on a scale that few anticipated or could have imagined. As people everywhere increase their reliance on the Internet to help them communicate and conduct business, the need for a secure computing platform becomes more apparent and more critical each day.

Windows Server 2003, which Microsoft will make generally available on April 24, will set a new security standard for server operating systems. Windows Server 2003 is the first operating system released by Microsoft since the company's chairman and chief software architect, Bill Gates, challenged all 50,000 Microsoft employees in January 2002 to build more Trustworthy Computing products and services for customers that would make computing as worry free as the electricity that powers their homes and offices.

"We want to get to the point where security is a given, where people use software and computing technology with the same confidence they have when they turn on a lamp or pick up a phone," says Michael Stephenson, lead product manager in the Windows Server division at Microsoft. " We're not there yet, but we will get there. Windows Server 2003 is a huge step forward."

Security is just one of the four pillars of the Trustworthy Computing initiativethe other three are privacy, reliability and business integritybut Stephenson and Steve Lipner, director of security assurance in the Security Business Unit at Microsoft, say that Microsoft is committed to making all of its software secure by design, secure by default, and secure in deployment, as well as communicating proactively with customers to provide the notification, resources and guidance they need to maintain a secure computing environment.

Secure by Design

Early in 2002, in response to Gates' challenge, Microsoft took the unprecedented step of ordering more than 11,000 Windows engineers to "stand down" and halt all development work, while the company conducted 10 weeks of intensive security training, testing and analysis, and developers searched the Windows code base for potential vulnerabilities.

All Windows engineers, plus thousands of engineers in other parts of the company, were taught to write secure code, which included specialized testing techniques and threat modeling. The threat-modeling process taught program managers, architects and testers to think like attackersand half of all bugs identified during the Windows security push were found during threat-model analysis. Microsoft even trained the people who write product documentation to write with security in mind, to make it easier for customers to understand how to implement and maintain security on the Windows platform.

For developers working on Windows Server 2003, the challenge was even more immediate and acute than for many of their colleagues. Windows Server 2003 was already in beta release when the security push began, and customers in the Joint Development Program for Windows Server 2003 were already deploying the beta version. Priorities had to be established, and in the end the process created the most secure server operating system Microsoft has released to date.

"We were jumping into this in the middle of the project, so we started working along two different paths simultaneously," says Steve Lipner, director of security assurance in the Security Business Unit at Microsoft. "We focused on threat modeling as our key step initially, but the groups were also testing and doing code review to find lower-level security bugs such as coding errors that could result in potential security problems."

According to Lipner, once the threat models were complete developers were able to go through the code in a more focused quest for specific security vulnerabilities that might have higher impact. Besides fixing bugs, developers also found a number of other ways to tighten security by design in Windows Server 2003. For example, the team removed the Universal Plug and Play (UPnP) feature from Windows Server 2003. UPnP is a network device discovery feature that makes it easy for personal computers to locate, recognize work with other devices.

"You need UPnP on your desktop or home PC to find other devices, but it's not something you need on a server," Stephenson says.

The public key infrastructure (PKI) services in Windows Server 2003essentially a system of digital certificates that uses public key cryptography to authenticate the validity of each party that is involved in an electronic transactionhave been significantly enhanced. Windows Server 2003 makes PKI, and associated technologies like smart cards, more manageable and easier to deploy and operate. Windows Server 2003 also supports Protected Extensible Authentication Protocol (PEAP), which offers encrypted password-based authentication to enhance the security of wireless connections. PEAP is a flexible security alternative for customers who need wireless productivity but don't have the resources to deploy a full PKI infrastructure.

Another design feature that has been core to Windows servers for some time but was enhanced in Windows Server 2003 is the ability for users to do a single sign-on and have access to multiple resources. According to Stephenson, this is unique to the Windows environment, and the lack of single sign-on capability in competing systems is a growing problem for many customers, who are forced to set up many different repositories and manage user accounts across multiple directories. And users who have many different user names and passwords end up writing them down, which creates additional security risks.

"This is a significant advantage we have over many competitors in this space," Stephenson says. "When a user logs on through their Windows desktop to a Windows server using the Kerberos protocol, we can now enable them to access file shares, network access points such as wireless and VPN connections, email servers, applications, Web sites and so on, and they never need to resubmit their credentials for authentication."

As with any development project, however, there were also tradeoffs. One of those involved certain legacy features that the development team would have preferred to remove, but that customers still depend on. In the end, Microsoft decided to leave those legacy features in place in Windows Server 2003, but to give customers a heads-up that they will be taken out of future versions. For the sake of security, Microsoft also disabled those features. Customers who still need the features can turn them on, while others can leave them turned off for enhanced security.

Secure by Default

In the past, Stephenson says, product features were typically enabled by default if there was any possibility that a customer might want to use them. Today, Microsoft has turned that policy around and is much more likely to choose the most secure option as the default setting. With Windows Server 2003, Microsoft disabled or reduced the privileges of more than 20 different services by default, including Internet Information Services (IIS) 6.0.

"We realized that it didn't make sense to have a service like IIS running by default, because many customers might not even realize it was there," Stephenson says. "We believe that disabling many services by default is an important benefit for customers, because they have to make the decision to load IIS or another disabled feature. In making that decision and acting on it, they also realize the feature they have enabled is something they have to manage and keep up to date on that server."

Microsoft also locked down Internet Explorer (IE) so that it is in the highest security setting by default. That means the browser does not trust any site on the Internet by default. Instead, the high security setting in IE drastically limits the functionality of Web sites until users take explicit action to change the security settings or to designate their trusted sites. Stephenson says Microsoft also added a policy to Windows Server 2003 that prevents an administrator or user from logging on remotely using a blank password.

Secure in Deployment

"One of the things we found in working with customers and other industry security experts is that 95 percent of all security problems were caused by misconfiguration," Lipner says. "What that told us is that it is entirely too difficult to configure an environment or a server for security."

As part of the Trustworthy Computing initiative, Microsoft is exploring ways to simplify the experience of configuring a Windows environment for security. Later this year, for example, the company plans to release a new Security Configuration Wizard for Windows Server 2003. Security settings for different servers will vary greatly depending on the customer's needs and the role (file server, Web server, application server, Active Directory domain controller, etc.) that each server will play in the customer's environment.

Microsoft has built a knowledge base of best practices related to how servers should be deployed according to role, and created a wizard that asks the person deploying the server a few simple questions about their environment. Based on the answers to those questions, the wizard automatically configures the server for the optimal secure state.

By contrast, when Windows 2000 Server came out several guides were published to help administrators with server configuration. Typically, administrators would get the guides, which collectively might be the size of a telephone book, and go through them over time to figure out how to configure the server for security. The Security Configuration Wizard for Windows Server 2003 takes all of the knowledge and best practices and puts them into a tool that automates how administrators can configure the server.

"There are a lot of different knobs you can play with that have an impact on security," Lipner says. "What we want to do is to make it as simple as possible for the administrator to configure each server at the best level of security for its role."

Customers Are More Secure

According to Lipner, the greatest benefit to customers who deploy Windows Server 2003 is that they will be able to spend less time worrying about security and patches. The new server software also benefits customers in three key ways: simplifying the overall security management process; improving identity and access management; and enabling customers to build secure access to different networks.

  1. Microsoft has simplified the overall security management process by reducing the number of vulnerabilities that are in Windows Server 2003. The Security Configuration Wizard will simplify things even more. Still, there are times when customers will have to apply patches. Microsoft's goal is to make it as easy and seamless as possible for customers to apply patches when needed with resources like Windows Update and Software Update Services.

  2. With Windows Server 2003, Microsoft has also simplified how administrators manage user identities; how those identities authenticate to the system; and how administrators manage what those users can access. This is accomplished through a number of enhancements to the Active Directory (AD) directory service, making it simpler to deploy and enable security features such as cross-forest trust, which allows two different AD environments within large organizations to "trust" each other. Once that trust is established, users from one AD forest can access a resource secured in another AD forest, with no requirement for duplicated identities.

    Windows Server 2003 also enables customers to use role-based authorization within applications. This allows customers to simplify the process of managing which users have access to which applications and to what extent. For example, a customer may have an order entry application, and may define two separate roles for sales representatives and sales managers. The sales representative can enter a sales order, but nothing more. The sales manager, however, can enter a sales order, review and approve sales orders entered by others, and compile sales data as necessary.

  3. Windows Server 2003 has a number of new capabilities to enable customers to build secure access to different networks, whether they are wired, wireless, or remote VPN networks. By adding features such as PEAP, Microsoft set up an environment in which access to a wireless network requires a user to authenticate to the access point. That can be accomplished using a user name and password, or a digital certificate, which can be sent to their machine automatically and remain seamless from the end-user's perspective. This eliminates the risk of someone from outside the company getting into the wireless network and gaining access to sensitive resources.

Locking the Gate

Windows developers also set out to eliminate serious, ongoing security issues that had emerged around earlier versions of Internet Information Services (IIS) and buffer overruns in the product.

"We actually took a step back with IIS and completely redesigned it," Stephenson says. "It's entirely new, but we also took care to make migration easy."

As part of that effort, developers built an isolated Web application model for IIS. Every Web application running on a Web server can now be efficiently deployed in its own isolated process, which prevents one application from disrupting another. If an application is compromised in some way, there is no risk of it interrupting other applications or services that are running on the Web server.

To accomplish that, Microsoft designed Windows Server 2003 to take advantage of two new service accounts in Windows XPa local service account and a network service account. The way many customers chose to set up Windows 2000 Server, if someone got onto the system through IIS and compromised the application they would have access to everything on the server and everything the service account could access over the network. Windows Server 2003 employs the two new service accounts so that everything running within IIS runs in the network service account. An application can communicate with other services over the network and within its own process, but if it's compromised then it won't be able to take over the entire server.

A number of other services are also running with lower privileges. For example, a user coming in over a Telnet session used to have access to everything the user account had on the local system as well as across the network. So if the Telnet session was compromised, that would increase the security risk. With Windows Sever 2003, Telnet now runs as a local system account, giving the user access only to that local machine.

Buffer overruns were an ongoing industry problem that Microsoft wanted to resolve with Windows Server 2003. Buffers are used in a variety of ways to control data, but if the amount of data written into a buffer exceeds its capacity the buffer overflows and the extra data can cause the program to fail or run an attacker's hostile code. From a security standpoint this is a serious problem, because malicious hackers can exploit buffer overruns by attaching executable instructions to the end of data and causing that code to run.

Microsoft has two key tools it uses to detect buffer overruns during development. One is called PreFix, a massive tool that runs every couple of weeks across the entire Windows code base and automatically flags anything that looks like a buffer overrun for human review and correction. Another tool, PreFast, runs on a program-by-program basis and is very effective at finding buffer overruns.

Windows Server 2003 also includes a new environment for writing applicationsthe .NET Framework. One piece of that is the Common Language Runtime (CLR), which makes it easier for developers to write applications without having to worry about many common security mistakes such as buffer overruns.

"This is critical," Stephenson says. "The Common Language Runtime is a good step toward helping developers write more secure code."

In building Windows Server 2003, Microsoft developers replaced a lot of code with safer forms. One problem with buffer overruns, according to Lipner, is that there are as many ways to write buffer overruns as there are to write computer programsin effect, an infinite number.

"There's no magic wand you can wave and make all the buffer overruns disappear," he says. "You have to do a batch of things." Microsoft combined training, new coding practices, tools and compilers in an effort to eliminate buffer overruns from Windows Server 2003.

"We know we haven't achieved perfection," Lipner says. "Software is built by people, so perfection is impossible. But we know we've vastly reduced the probability of buffer overruns through all of these different measures."

Common Criteria Certification

Like Windows 2000, Windows Server 2003 will also be evaluated for Common Criteria Certification, which is an internationally recognized evaluation of the security features as well as the development and testing processes associated with information technology products. Certification comes only after a rigorous evaluation process establishes that a product has implemented a recognized set of security features. Product documentation and testing also must meet a set of international standards. Common Criteria Certification is recognized by 18 nations as a standard of security quality, and provides customers with useful information about products that can meet their security needs.

Windows 2000, which recently received certification after a process that lasted more than two years, was evaluated with the broadest set of real-world scenarios of any information technology product that has gone through Common Criteria Certification, and to a higher level of certification than any general purpose software that has ever been evaluated.

Certification is done by the National Information Assurance Partnership (NIAP), which in the United States is run by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). NIAP is the U.S. member of the Common Criteria Organization, which is an international body.

Enabling Secure Computing Everywhere

When it comes to writing secure code, Microsoft wrote the bookliterally. Security experts at the company wrote the text, and it was used to help train developers during the 10-week stand down last year. Microsoft has published the book "Writing Secure Code," by Michael Howard and David LeBlancthrough Microsoft Press, so that other companies and developers can have access to the information.

"We could build the most secure operating system in the world, but if independent software vendors and application developers aren't writing secure code, then the experience for the customer is going to be the same as having an insecure operating system," Stephenson says. "We want to share our best practices, not only with our partners but also with our competitors. Hopefully, they will do the same. This is good for the entire industry."

Read More: