What's New in Windows Server 2003 Security
|
On This Page
 | Introduction |
| Benefits |
| New Features and Improvements |
| Summary |
Introduction
Businesses have extended the traditional local area network (LAN) by combining intranets, extranets and Internet sites; as a result, increased system security is now more critical than ever before. To provide a secure computing environment, the Windows Server 2003 operating system will provide many important new security features and improves on the security features originally included in Windows 2000 Server.
Trustworthy Computing
Viruses exist and software security is an ongoing challenge. To address these facts Microsoft has made Trustworthy Computing a key initiative for all its products. Trustworthy Computing is a framework for developing devices powered by computers and software that are as secure and trustworthy as the everyday devices and appliances you use at home. While no Trustworthy Computing platform exists today, the basic redesign of Windows Server 2003 is a solid step towards making this vision a reality.
Common Language Runtime
The Common Language Runtime software engine is a key element of Windows Server 2003 that improves reliability and helps ensure a safe computing environment. It reduces the number of bugs and security holes caused by common programming mistakes—as a result, there are fewer vulnerabilities for attackers to exploit.
The Common Language Runtime verifies that applications can run without error and checks for appropriate security permissions; making sure that code only performs appropriate operations. It does this by checking for things such as: where the code was downloaded or installed from; whether it has a digital signature from a trusted developer; and whether the code has been altered since it was digitally signed.
Benefits
Windows Server 2003 will provide a more secure and economical platform for doing business.
| Benefit | Description |
Lower Costs | This results from simplified security management processes such as access control lists and Credential Manager. |
Implementation of Open Standards | The IEEE 802.1X protocol makes it easy to secure wireless LANs from the threat of eavesdropping within your business environment. |
Protection for Mobile Computers and other New Devices | Security features such as Encrypting File System (EFS), certificate services, and automatic smart card enrollment make it easier to secure a full range of devices. EFS is the core technology for encrypting and decrypting files stored on NTFS volumes. Only the user who encrypts a protected file can open the file and work with it. Certificate Services is the part of the core operating system that allows a business to act as its own certification authority (CA) and issue and manage digital certificates. Automatic smart card enrollment and self-registration authority features provide enhanced security for enterprise users by adding another layer of authentication; this is in addition to simplified security processes for security conscious organizations. |
New Features and Improvements
The Windows Server 2003 Family will provide the following:
| • | A more secure platform for doing business |
| • | The best platform for your public key infrastructure |
| • | Secure extension of your business to the Internet |
A More Secure Platform for Doing Business
Windows Server 2003 will provide many new and improved features that combine to create a more secure platform for doing business.
| Feature | Description | ||||||||
Internet Connection Firewall | Windows Server 2003 will provide Internet security using a software-based firewall called Internet Connection Firewall (ICF). ICF provides protection to computers directly connected to the Internet, or to computers located behind an Internet Connection Sharing (ICS) host computer that is running ICF. | ||||||||
Secure IAS/RADIUS Server | The Internet Authentication Server (IAS) is a Remote Authentication Dial-in User Server (RADIUS) that manages user authentication and authorization. It also manages connections to the network using a variety of connectivity technologies, such as dial-up, virtual private networks (VPNs), and firewalls. | ||||||||
Secure Wireless and Ethernet LANs | Windows Server 2003 enables the authentication and authorization of users and computers that connect to wireless and Ethernet LANs. This is accomplished by Windows Server 2003 support of the IEEE 802.1X protocols. (IEEE 802 standards define methods for accessing and controlling LANs.) | ||||||||
Software Restriction Policies | Windows Server 2003 will let a system administrator use policy or execution enforcement to prevent executable programs from running on a computer. For example, specific corporate-wide applications can be restricted from running unless they're executed from a particular directory. Software restriction policies can also be configured to prevent virus-infected or malicious code from running. | ||||||||
Security Improvements for Servers on Ethernet and Wireless LANs | Windows Server 2003 will provide security for both Ethernet and wireless LANs that are based on IEEE 802.11 specifications, and that support public certificates deployed using autoenrollment or smart cards. These security improvements enable access control to Ethernet networks in public places like malls or airports. Authentication of computers within an extensible authentication protocol (EAP) operating environment is also supported. | ||||||||
Increased Web Server Security | Information security is a critically important issue for organizations everywhere. To increase Web server security, Internet Information Services 6.0 (IIS 6.0) will be configured for maximum security right out of the box—its default installation is "locked down." Advanced security features in IIS 6.0 include: selectable cryptographic services, advanced digest authentication, and configurable access control of processes. These are among the many new security features that enable you to conduct business securely on the Web. | ||||||||
Encrypting the Offline Files Database | The option to encrypt the Offline Files database is now available. This is an improvement over Windows 2000 where cached files could not be encrypted. This feature supports the encryption and decryption of the entire offline database. Administrative privileges are required to configure how offline files will be encrypted. | ||||||||
FIPS-compliant, Kernel-mode, Crypto Module | This cryptographic module runs as a driver in kernel-mode and implements Federal Information Processing Standard (FIPS)-approved cryptographic algorithms. These algorithms include: SHA-1, DES, 3DES, and an approved random number generator. The FIPS-compliant, kernel-mode, crypto module lets governmental organizations deploy FIPS 140-1-compliant, Internet Protocol Security (IPSec) implementations using:
| ||||||||
New Digest Security Package | The new digest security package supports the digest authentication protocol, along with RFC 2617 and RFC 2222. These protocols are supported by both Microsoft Internet Information Server (IIS) and the Active Directory® service. | ||||||||
System Security Improvements | Important improvements have been made to ensure overall system security including:
| ||||||||
Credential Manager | Credential Manager in Windows Server 2003 will provide a secure store for user credentials, including passwords and X.509 certificates. These credentials provide a consistent, single sign-on experience for users—including roaming users. A Win32® API is available that allows server- and client-based applications to obtain user credentials. | ||||||||
SSL Client Authentication Improvements | In Windows Server 2003 the SSL session cache can be shared by multiple processes. This reduces the number of times a user has to reauthenticate with applications, and reduces CPU cycles on the application server. | ||||||||
Security Configuration Wizard for Windows Server 2003 (included with Windows Server 2003 Service Pack 1) | Security Configuration Wizard (SCW) allows you to quickly and easily configure servers running Microsoft Windows based on your functional requirements-Web server, domain controller, or other-while simultaneously authoring security policies to help minimize attack vulnerability. |
The Best Platform for Your Public Key Infrastructure
Windows Server 2003 will make it easier to deploy a public key infrastructure, along with associated technologies like smart cards.
| Feature | Description |
Certificate Autoenrollment and Autorenewal | These important new features dramatically reduce the amount of resources needed to manage X.509 certificates. Windows Server 2003 will make it possible to automatically enroll and deploy certificates to users—and as certificates expire, they can be automatically renewed. Certificate autoenrollment and autorenewal make it easier to deploy smart cards faster, and improve the security of wireless (IEEE 802.1X) connections by automatically expiring and renewing certificates. |
Windows Installer Digital Signature Support | Digital signature support enables Windows Installer packages and external cabinets to be digitally signed. This lets IT administrators provide a more secure Windows Installer package, which is especially important if a package is sent over the Internet. |
Certificate Revocation List (CRL) Improvements | The certificate server included in Windows Server 2003 now supports delta CRLs. A CRL makes the publication of revoked X.509 certificates more efficient, and makes it easier for a user to retrieve a new certificate. And because you can now specify the location where a CRL will be stored, it's much easier to move it to accommodate specific business and security needs. |
Secure Extension of Your Business to the Internet
A business needs a secure way to communicate with employees, customers and partners that are not located within its intranet. Windows Server 2003 will make it easier to securely extend access to your network for individuals and other businesses that need to work with data or use resources.
| Feature | Description |
Passport Integration | A Passport identity can be mapped to an Active Directory identity within Windows Server 2003. For example, by associating a Passport identity with an Active Directory identity a business partner can be authorized to access resources through IIS, rather than having to logon directly to a Windows network. Passport integration will provide an equivalent single sign-on experience using IIS. |
Cross-Forest Trusts | If you're working with a partner or company that has an Active Directory forest deployed, you can use Windows Server 2003 to set up a cross-forest trust between their forest and yours. This allows you to explicitly trust certain, or all, users or groups in the other forest. You also have the capability to set permissions based on user or groups that are resident in the other forest. Cross-forest trusts make it easy to conduct business with other companies using Active Directory. |
Summary
Efficient and secure networked computing is more important than ever for a business to remain competitive. Windows Server 2003 will let you take advantage of your existing IT investments, and extend those advantages to your partners, customers, and suppliers by deploying key features like cross-forest trusts and Passport integration.
Windows Server 2003 will provide services that create a more secure environment for doing business. It's easy to encrypt sensitive data and software restriction policies can be used to prevent damage caused by viruses and trojans. And Windows Server 2003 is the best choice for deploying a public key infrastructure; its autoenrollment and autorenewal features make it easy to deploy smart cards and certificates across the enterprise.
For more information about security, see Technical Overview of Security Services.
Getting Secure and Staying Secure
Microsoft is committed to doing what is necessary to help customers get secure and stay secure. The single best thing you can do to maintain the health and security of the computers in your organization is to stay current with the latest security updates as they're made available.