Microsoft's New Security Philosophy

In mid-2002, an unprecedented series of major security flaws were uncovered in Windows 2000, Internet Explorer 6.0, and IIS 5.0, which are some of Microsoft's most strategically important products. The resulting media backlash resulted in a now-famous "trustworthy computing" internal memo from Bill Gates to all Microsoft employees. The gist of the memo was this: Stop programming and take a look at what you're doing from a security perspective. For two months, production on all Microsoft products stopped, and Microsoft programmers and other employees attended a series of classes designed to highlight common programming practices that often result in security flaws. The programmers also reviewed the code for their products, including Windows Server 2003, with an eye toward removing those unsecure programming practices. The result, according to Microsoft, is that a huge number of security flaws were removed from Windows Server 2003 (and other products) before it was released to manufacturing.

Other practices changed, too. For example, Microsoft products usually go through a beta cycle and then a release candidate (RC) cycle. During the RC phase, new features aren't supposed to be added to the product and major changes aren't supposed to be made. The RC phase is normally designed to catch and fix bugs; any feature that has bugs that can't be fixed is dropped from the product and rolled to the next version's development. For Windows Server 2003, however, the door was left open for security-related changes throughout the product's lifecycle and even into the RC phase. Normally prohibited changes, such as changes to the product's user interface, were allowed if they had a security implication. The message was clear: Deadlines could be missed and features could change if doing so was necessary to prevent security problems in the product.

The new security philosophy resulted in several important changes. For example, IIS has been a major area for security vulnerabilities, due primarily to the fact that IIS is installed by default on all Windows 2000 Server computers. Windows Server 2003 improves its own security by not installing IIS by default and, when IIS is installed by an administrator, using a default configuration that disables many of IIS's more commonly exploited features, such as dynamic Web pages.


The biggest security mistake is complacency. Despite Microsoft's new philosophy and attention to security, Windows Server 2003 has undiscovered security vulnerabilities. Maintaining a secure environment requires constant vigilance, an aggressive program of applying security updates to all computers, and an inherently secure network design. In other words, you should expect a good portion of your time as an administrator to be spent on security and security-related tasks. Don't rely on Microsoft to do your security work for you; investigate potential security holes in your infrastructure and develop ways to protect them.

A major portion of Microsoft's new security philosophy can be reflected in the default configurations for its products. In the past, Microsoft's goal was to provide a default configuration that offered maximum functionality. Now, Microsoft's goal is to provide a more secure default configuration, even at the expense of advanced functionality and features. In other words, Microsoft is willing to provide features that aren't turned on by default and require an administrator to manually enable those features and implicitly acknowledge the features' security implications.

This new philosophy puts a lot more of the security burden on you, the Windows administrator. Before you change any default settings or install any additional components, think about what they'll do to the security of your network. Research settings and components to discover their potential weaknesses and find out how hackers might exploit them to attack your network.