1.4 Security Features in the Windows Server 2003 Family

Compared to their predecessors, Windows NT and Windows 2000 provided numerous security features. In fact, since the inception of Windows NT Advanced Server 3.1 in 1993, the Windows NT family has always provided a suite of security-focused features. Over the years, subsequent releases have added new security features and expanded existing ones.

Just as with earlier releases, Windows Server 2003 improves on previous operating system releases by enhancing existing security features and adding new ones. Some of the security features that are carried forward from previous versions include:

Kerberos authentication

Kerberos is a standardized and widely used network authentication protocol. Originally incorporated into Windows 2000, Kerberos provides proof of identity for users, computers, and services running on Windows 2000, Windows XP Professional, and Windows Server 2003. Prior to the use of Kerberos in Windows 2000, NTLM was used as the authentication protocol. While NTLM is still a useful protocol for maintaining compatibility with older operating systems, it is not as efficient or interoperable as Kerberos. NTLM also has some security shortfalls that Kerberos does not. Kerberos and NTLM are described in depth in Chapter 7.

IP Security

TCP/IP's use has become widespread. While TCP/IP provides enormous benefits over other network protocols, it is not desirable from a security standpoint. Data sent over a network with this suite of protocols is not designed to be secure and can be easily intercepted and decoded. IP Security (IPSec) is a set of RFC-based standards that defines how data can be sent securely via TCP/IP. Data can be encrypted, digitally signed, or both using IPSec. Many hardware devices, such as routers and firewalls, support IPSec communications. IPSec is available in Windows 2000, Windows XP Professional, and Windows Server 2003 family products. It's incorporated right into the networking drivers, which allows it to integrate smoothly with the existing TCP/IP software. The implementation is compliant with established standards, which allows Windows Server 2003 to communicate with other properly equipped network devices via IPSec. IPSec is described in depth in Chapter 8.

Encrypting File System

Files on a hard drive may be compromised when the physical security of a computer is compromised. Because physical security cannot always be guaranteed, an additional measure of safety can be taken to safeguard against data stolen from a hard drive. The Encrypting File System (EFS) can be used to encrypt the data written to the hard drive. This ensures that only the user holding the appropriate decryption key can retrieve the data. If the hard drive is compromised and the decryption key is not stored on that hard drive, the data is not readable. EFS is described in depth in Chapter 4.

Group Policy

When you create a security infrastructure, you want the ability to make configuration settings for all objects within that infrastructure. These settings often include minimum password requirements, user session restrictions, and so on. Group Policy provides a mechanism to transparently configure computers within an enterprise with all desired security settings. You, as an administrator, can force users and computers to use the settings you want. This allows you to keep your users more secure and protect them against a multitude of attacks. Users do not know how they receive the security settings, and the settings cannot be overridden without the appropriate privilege. Group Policy is described in depth in Chapter 5.

Certificate Services

Use of public key cryptography has become common across a wide variety of applications and services. Public key certificates are essential to providing and trusting these keys across organizations and around the world. Certificate Services provides a software application that receives, approves, issues, and stores public key certificates. This book examines both the cryptography behind the certificates and exactly how to plan and deploy a public key infrastructure (PKI). Public key cryptography is discussed in depth in Chapter 2. Because of the complexity and importance of Certificate Services, it is covered in depth in Chapter 9.

Smart card support

All security in Windows is based on the concept of a user context. This user context is usually proven to the local and remote computers with the use of a username and password supplied by the user or software component. Because the username and password are bits of information a user enters, they can be replicated or stolen in a variety of ways. Requiring some physical component in addition to the username and password data adds a great deal of security to that user context. Smart cards are devices that are designed to store information that, in conjunction with a personal identification number (PIN), takes the place of the username and password. If you require the use of smart cards, a user cannot prove his identity without both the physical card and the corresponding PIN. Smart cards are discussed in depth in Chapter 10.

1.4.1 Security Enhancements in Windows XP and the Windows Server 2003 Family

During the development of Windows XP and Windows Server 2003, Microsoft gave close scrutiny to all security components. This scrutiny culminated in a months-long halt to the development of Windows so that Microsoft could take the time it needed to examine existing code, processes, and features for vulnerabilities and weaknesses. These were analyzed and addressed in a methodical fashion. Occasionally this review bordered on the brutal in its results, with entire features being removed from the operating system when they could not be made reasonably secure. Some less frequently used or more vulnerable features were not removed, although their configuration was changed to make them disabled or not installed by default. Although this effort did delay the production of Windows Server 2003, it was certainly a valuable investment of time and resources.

Because Windows XP and Windows Server 2003 share many common software components, some of the security improvements affect both versions in the same way. Besides the strong underlying security architecture, you can directly observe and configure several improvements. A few of the big ones include:

Encrypting File System (EFS) improvements

In Windows 2000, EFS provided encryption for files with the DESX encryption algorithm (a stronger variant of the Data Encryption Standard?DES). This algorithm provides better data protection than the generic DES algorithm, but several stronger options are available. In Windows XP and Windows Server 2003, EFS can now encrypt files using the triple-DES (3DES) encryption algorithm. This improvement provides 168-bit encryption for data, which is reasonably resistant to most current attacks. Another improvement to EFS is the removal of the requirement for a data recovery agent. This allows you to configure EFS with fewer options for recovering data but increases the level of data security. In addition, you can add more than one user to an EFS file to allow multiple users to decrypt the contents. This enables more secure file sharing both locally and over the network.

Smart card support

Windows 2000 provided a foundation for smart card support. However, its use was somewhat restricted to logon operations within an Active Directory domain. A common administrative scenario that was not addressed by Windows 2000 smart card support was using smart card credentials to run specific applications while remaining logged in as a different user. This scenario is addressed in Windows XP and Windows Server 2003 and allows an administrator to remain logged in as a standard user while providing specific, isolated administrative functions using credentials from the smart card.

IP Security

While the underlying components of IPSec remain largely the same as Windows 2000, a significant improvement is introduced for its monitoring and troubleshooting. In Windows 2000, a standalone tool called IPSecMon was the only way to discover what IPSec was doing. In Windows XP and Windows Server 2003, a new Microsoft Management Console tool is available to monitor IPSec. Called IP Security Monitor, it provides detail about the operation of IPSec and can help assess misconfigurations. IP Security Monitor works well as a complement to other tools such as Resultant Set of Policy (RSoP), Netdiag, Network Monitor, and the IPSec logs to help ensure that your IPSec communications are indeed secure.

1.4.2 Security Enhancements in Windows Server 2003, Standard Server Edition

Windows Server 2003 Standard Server is the foundation of the Windows Server 2003 server architecture. This version of Windows Server 2003 is suitable for a wide range of applications in a server environment, providing services from file storage to user account management to HTTP. Because it is likely to be used for many different tasks, numerous security improvements were made to Windows Server 2003 Standard Server, including:

Even stronger encryption for EFS

Because EFS is a strong method of protection against physical compromise of a computer, you want to use the strongest possible encryption available. The recently finalized Advanced Encryption Standard (AES) algorithm was designed as a replacement for the DES suite of algorithms. EFS supports file encryption with this new AES algorithm, which uses a 256-bit key.

Enhanced Group Policy

Group Policy remains the easiest and most powerful way to restrict and configure a user's experience. Because numerous features have been added to Windows XP and Windows Server 2003, new group policy settings were added to configure them. This allows these new features to be used exactly as you want across the organization or disabled entirely when appropriate. And proper configuration of all features through rich Group Policy is essential to deploying and configuring more secure client and server environments.

Software Restriction Policy

Users running arbitrary software from unsafe sources are some of the biggest security risks you will face as an administrator. Ensuring they are protected from email attachments and software sent on CD-ROM or other removable media is critical. Virus scanners are often effective in combating this issue, but new virus variants and methods appear almost daily. To help stop the problem at its source, Windows Server 2003 Standard Server provides a specific type of group policy restriction called the software restriction policy (SRP). This allows you to describe what programs users can or cannot run. Users who try to run software disallowed by this policy will not be successful, and their computers will remain safe. Although SRP was made available in Windows XP, the management and control of those policies are greatly enhanced with Windows Server 2003. Configuring SRP is discussed in depth in Chapter 6.

Improved certification authority

The certification authority available on Windows 2000 provided a simple way to configure and issue certificates to users and computers in an enterprise. It did not provide a great deal of flexibility for customization or newly developed PKI-aware applications. Windows Server 2003 Standard Server further improves the certification authority by offering new features such as client autoenrollment to automatically deploy and manage client certificates, configurable application and issuance policies to give the administrator deep configuration control of issued certificates, and certificate authority administrative roles to help prevent any single administrator from holding too much power within a certification authority.

IIS Lockdown

Internet Information Services (IIS) provides web-based services for Windows and is in widespread use. It is frequently used on computers that are accessed anonymously from the Internet. Its security must often be more relaxed than other computers within an organization to allow some of its primary functions to run correctly. In addition, many administrators never configure IIS on their servers, especially if it is not intended to be used on that computer or if the computer is not exposed directly to the Internet.

Because IIS is, by its nature, frequently exposed to the Internet, its relaxed security requirements and its frequent misconfiguration make it one of the biggest areas of security exposure for Windows 2000. This is addressed by Windows Server 2003 in a straightforward manner: IIS is not installed by default. When IIS is explicitly installed, most of its features are disabled and must be enabled manually. For previous versions of IIS and Windows, a tool called IIS Lockdown was provided. The functionality of that tool is now integrated with Windows Server 2003 and IIS 6.0. For more information on IIS and its new security options, see Chapter 12.

1.4.3 Security Enhancements in Windows Server 2003, Enterprise Server Edition

Windows Server 2003 Enterprise Server is the most feature-rich version of Windows Server 2003 available. It has the ability to scale to meet the needs of most deployments.

There are several differences in the security features between Windows Server 2003 Standard Server and Windows Server 2003 Enterprise Server. Windows Server 2003 Enterprise Server provides all the functionality of Windows Server 2003 Standard Server plus several enhancements:

Configurable certificate templates

All public key certificate requests are issued based on configuration settings. Some of these settings are configured for each certification authority, while others are configured based on the type of certificate requested. Certificate templates contain the settings for each type of certificate that can be issued. In Windows Server 2003 Enterprise Server, certificate templates can be created, deleted, and customized to provide the exact functionality desired.

Separation of certification authority roles

A number of standards define how a certification authority must be administered. Most of them require different users to perform different tasks, such as requiring an administrator to configure the certification authority and a separate auditor to monitor the activity on that certification authority. Role separation is a new feature that requires a user to have no more than one certification authority management role. This is to ensure that there are no "superusers" who can perform all tasks and potentially mask their own manipulation of the system.

Key recovery

When a certification authority receives a certificate request, the request normally contains the public key, the requester's identification, and other information that is configured in the certificate template. The associated private key is generated on the requester's computer and does not leave that computer, assuring its secrecy. When key recovery is configured on Windows Server 2003, the certificate request process will also securely provide the requester's private key to the certification authority. The certification authority will then encrypt and store that key until the requester needs to recover it. At that time, a designated recovery agent will decrypt the private key and provide it to the requester. The requester need not lose all data encrypted with that private key if it is stored on the certification authority.

There are many other differences between Windows Server 2003 Standard and Enterprise, including a significant price difference. Any decision to deploy one version in preference to the other should be made only after carefully planning the server's business roles and determining the needs it must meet. Once you define the functionality you need, you should carefully review each product's features and from that determine which one best suits your needs. Both servers provide the same level of core security?it's not easier to compromise Standard Server than the Enterprise Edition. The difference lies in the additional security features that Enterprise Edition provides and the higher cost of its license.