Examine Security Features and Tools of Microsoft Windows Server 2008

Unwrap Windows Server 2008, the first server revision under Trustworthy Computing. Microsoft promises it is secure by design, default and deployment.

Unwrap Windows Server 2008, the first server revision under Trustworthy Computing. Microsoft promises it is secure by design, default and deployment.

Six years into Microsoft's Trustworthy Computing initiative, Windows Server 2008 (aka Longhorn) reflects Redmond's "three D" promise to deliver products that are secure by design, secure by default and secure in deployment.

"There's no doubt about it; this is the first full Windows Server revision [under Trust- worthy Computing]," says Rand Morimoto, CEO and principal consultant for Oakland-based Convergent Computing, which has been piloting Windows Server 2008 internally and for customers. "When they came out with Windows Server 2003, it had already been half baked before Trustworthy Computing began. Windows Server 2008 is built from scratch--the server core has a lot of security built in."

The verdict on the inherent security of Server 2008's code will be rendered in the number and severity of vulnerabilities that come to light in the months and years following its release (manufacturing release is scheduled for Feb. 27). Microsoft trumpets security as the primary design consideration for Windows Server 2008, the product of its security development lifecycle process (SDL). It retrained its development staff on how to write secure code and created threat models, performing extensive security testing against each model. These efforts should go a long way toward reducing flaws that can be exploited; for example, you won't have to worry about things like buffer overflow attacks against your Windows Server 2008 systems.

Is that sufficient reason to upgrade? Perhaps, but in addition to changes in the code itself, Windows Server 2008 provides many new data and network protection features and enhancements that allow you to more easily respond to new security compliance requirements. We'll focus on what Microsoft has done under the hood, as well as a few of the features that secure your directory services, data and network environments.

Windows Server 2008 introduces a number of mechanisms to help bulletproof the operating system, starting with BitLocker Drive Encryption, an optional mechanism to encrypt OS volumes while protecting the integrity of the Windows boot process. Encrypting the entire operating system volume on the hard disk hardens the OS against software attacks and loss of any other data on the drive.

BitLocker mitigates the impact of unauthorized access through two separate protection procedures: drive encryption and secure startup (integrity verification).

All user and system files on the volume are encrypted, including user data, the page file and temp files. It also provides protection for any third-party applications when installed on the encrypted volume. Drive encryption is designed to work in conjunction with a Trusted Platform Module (TPM 1.2) chipset; however, it will function on a system without TPM as long as the BIOS can boot from a USB flash drive.

As with many security technologies, there is a corresponding tradeoff in ease of management. System upgrades will require you to decrypt the volume; non-Microsoft software updates will require you to completely disable BitLocker before you start, else the system will enter a recovery mode and require a recovery key or password to be accessed. On the other hand, setup and management is wizard-based and is extensible through a Windows Man-agement Instrumentation (WMI) interface.

Microsoft says there is no noticeable performance impact on the server, as it imposes only a single-digit percentage increase in overhead. Encryption occurs in the background and proceeds at a rate of approximately 1 GB per minute in most cases.

Secure startup, which requires the TPM 1.2 chipset, protects the integrity of the boot process and protects against data theft or system tampering when the OS is offline or even while it is being installed. It helps to ensure that data decryption is performed only if the boot components appear unmolested and that the encrypted drive is located in the original computer. If the system is tampered with, it will be locked and refuse to boot. No ports will be opened until the OS is fully booted.

Windows Server 2008 extends its OS security features once a server is running as well. It uses digital signatures to stop hackers (or malware) from replacing operating system files with malicious files of the same name. All of the operating system's executables and dynamic link libraries (DLLs) have been digitally signed, and the OS checks the signatures prior to loading these files into memory.

In addition, Windows Server 2008 uses a technique called Address Space Layout Randomization to thwart attacks such as buffer overflows that target known addresses in the system for specific bits of code. Earlier Windows OSes use tables of hard-coded addresses, which were easy to exploit. Malware could be written to target those specific locations, then propagate to the machine through a buffer overflow. The new technique randomly arranges the positions of key data areas each time the system boots, making it look "different" to malware each time, providing protection against automated attacks.

If a piece of malware targets the wrong location, it will most likely crash the process. Windows Server 2008 has a restart limit of 10, so if a process is scheduled for auto start, which most are, the malware can't just blindly try 256 times, wait for the service to restart and then try again. After the 10th time, the server requires a reboot. At that point, an administrator should certainly realize that the system may be under attack and figure out what's going on by looking at the event logs or receiving a notification from a management utility.

Firewall rules now control outbound as well as inbound traffic.

The host-based Windows Firewall with Advanced Secu-rity has been enhanced by protecting outgoing traffic. Rules can be based on source and destination IP addresses, source and destination ports (TCP and UDP), as well as for multiple ports.

The latest version of the firewall is easier to configure as well.

Application rules are still based on path and are not hashed values of the executable, but you can specify an individual service by service name alone, instead of having to specify the exact path to the service.

Also, in previous versions of the operating system, traditional firewall behavior and IPsec policy management were handled by different interfaces. Administrators often found this confusing, and confusion leads to configuration mistakes--which can lead to potential security breaches. The firewall is now fully integrated with IPsec.

Because they are always "on" and generally run under accounts with high privilege levels, services (Windows and third-party) are a favorite target for malware developers. Once malware reaches a server, it can use system services to perform almost any task, such as formatting the hard disk, installing a Trojan horse or propagating itself to the network. In previous Windows operating systems, many services were turned on by default and set to run automatically whether they were being used or not. While Microsoft improved this situation in Windows Server 2003, too many unnecessary services were still running by default.

Windows Server 2008 will limit the damage that a compromised system can do through a reduced attack surface and Windows Service Hard-ening, which uses the principle of least privilege. The number of services installed and/or running by default has been greatly reduced, presenting fewer targets for malware.

Microsoft tackles the issue of privilege with more granular service account options. Win-dows Server 2003 and Windows XP use three service accounts (NetworkService, LocalService and Local-System). If a service running under one of those accounts was infected, malware injected onto the system would run with the full rights of that service account. That was particularly bad under the "super-admin" local system account, which gave malware an entry point to your entire network.

Windows Server 2008 addresses this problem by expanding to six service accounts, each with a specific scope and capabilities to provide for more granular control (see "Securing Windows Services," (PDF) below). To strip services of permissions they don't require, a number of services that used to run under the context of the Local-System account now run under a less-privileged account, such as LocalService or NetworkService. Critical Windows services are now restricted so they can't behave beyond their normal operating parameters. For example, the Re-mote Procedure Call (RPC) service cannot replace system files or modify the registry.

"Securing Windows Services

You can even specify which privileges or special powers a service can have (shutdown, audit, etc.), so malware doesn't have access to all the default privileges of the account under which the compromised service is running.

Further, services now have a unique security identifier (SID), so they can no longer run under the radar. In previous server OSes, a service would run anonymously under the context of the service account it was configured to use, such as LocalSystem, giving the service extensive privileges on the local computer. That meant you could only apply an Access Control List (ACL) against the service account--generally not a practical solution--not the actual service, essentially giving administrative control to an anonymous entity. With unique SIDs, ACLs can be applied to specific services for tight control.

This can be taken a step further by applying a write-restricted token to the service process. Write attempts to resources that do not explicitly grant the service SID access will fail.

Active Directory (AD) is at the heart of your security infrastructure--it's where you set and manage access and authorization. It can also be a huge security risk when it sits in a branch office or anywhere you cannot prevent tampering.

Network Policy and Access Services provides
components required for implementing
Network Access Protection.

Windows Server 2008 addresses this with a Read-Only Domain Controller (RODC), an AD domain controller that contains a read-only version of the AD Directory Services (AD DS) database and is designed to be placed in remote locations or anywhere that physical security of the server cannot be guaranteed. The AD DS replica on the RODC is bulletproof; any changes must be made on a writable domain controller and replicated to the RODC. By default, account passwords are not stored on an RODC and a Password Replication Policy determines if a user's or computer's credentials can be replicated from the writable domain controller.

You can also give a local user limited rights to perform maintenance work on the domain controller, such as upgrading a driver, without giving them control over other domain controllers or compromising the security of the AD DS.

RODCs can relieve a lot of security headaches, but you still need to keep a close eye on who's doing what to your writable AD domain controllers (especially if you elect to put one in a remote location, where you can't assure its physical security). Previous server OSes offered very limited security monitoring/logging capabilities, simply logging the name of an attribute that was changed, not the actual changes. The audit directory service access global audit policy now can log old and new values of an attribute when a successful change is made to that attribute (for example, who changed a password). In Windows Server 2008, this policy is enabled by default and is divided into four subcategories to provide for more granular auditing.

Windows Server 2008 enables Network Access Protection (NAP), Microsoft's response to the network access control (NAC) issue, on Vista clients. NAP allows organizations to check a computer's compliance with security policy (up-to-date antivirus, patch level, etc.), with options to quarantine and remediate them. Using software management applications, administrators have the option to automatically update noncompliant computers. Windows Server 2008 provides a variety of server-side components for NAP: Health Policies, NAP Administration Server, System Health Validators, NAP Enforcement components (for IPsec communications, 802.1x, VPN and DHCP), and remediation. The specific components to be installed, the number of servers required and which components go on which servers varies depending on the enforcement methods being supported.

Through a subscription, you can collect logs from
multiple remote computers and store them in a local XML file.

Pulling Logs Together
In the event of a security breach, you often need to determine which computers in your network have been compromised or have played a part in the breach. Historically, this required an administrator to actually go to each separate system to view its logs, connect remotely to each system, or to use a third-party product, such a log management or SIEM tool, to collect data. In Windows Server 2008 (and Vista) the Event Viewer has been rewritten to provide stronger event logging and tracing capabilities. You can collect logs from multiple remote computers and store them in a local XML file, then use a new cross-log query feature to view, correlate and analyze specific types of events on various systems. For example, you could correlate all failed logon attempts from multiple machines to see if an insider is attempting to penetrate your network.

Microsoft's Windows Server 2008 Resources

Home page

Release candidate evaluation software

Learning portal

Webcasts, virtual labs, podcasts and chats

Microsoft is touting Windows Server 2008 to be its most advanced operating system yet. Beyond security, there are notable improvements in networking, remote application access, centralized role management, performance and reliability monitoring tools, failover clustering, deployment and the file system.

Windows Server 2008 provides that security foundation for the demanding and varied needs of today's business environments. In particular, Windows Service Hardening is the primary incentive to upgrade your servers. It limits how much damage an attacker can do in the unlikely event a service is compromised. The cost of a security compromise can be huge­--witness the impact of Blaster. Microsoft says Blaster would not have been successful against Windows Server 2008.

Of course, as with all new products, you should look at your own infrastructure and business needs to determine if, or how fast, to deploy Windows Server 2008. Test it thoroughly in your environment, perhaps through a pilot program, before widespread implementation.

Read an interview with Bill Laing, Windows Server Division general manager, at searchsecurity.com.

Early Adopters
California consultancy and its customers are already putting Windows Server 2008 to work.

Did the trial by fire of Microsoft's security development lifecycle produce a secure, stable product? Windows Server 2008 may be new to most of us, but it's already battle-tested for Rand Morimoto and many of his customers.

"We have 60-plus customers using it, with well over 250 servers in production," says Morimoto, CEO of Oakland-based IT consulting firm Convergent Computing (CCO). "One very large customer deployed it in September and October--a month before the holiday season--and put Windows 2008 in production. They tested their application for nine months prior to release."

CCO has been testing, piloting and deploying Windows Server 2008 for about three years, internally and with customers. Long lead time was essential to larger organizations, which started working with the new OS a year or two in advance of release.

"Because the customers we serve are big companies, things take forever to deploy--two to three years," Morimoto says. "If we don't start early, they're behind. Planning and testing is done well before it ships, so they can make better use of the technology."

According to Morimoto, much of Windows Server 2008's appeal is easier deployment and management. Unlike its predecessor, Windows Server 2003, the new OS features tight application integration out-of-the-box, all managed by a policy engine that is both granular and comprehensive across its components.

"It's policy management, as opposed to systems management," he says. "I can now set policies and apply it to a server or groups of servers across the board."

His customers stake their businesses on Windows Server 2008, and report it is stable, reliable and easy to implement.

"It's simple to install; there's a base system, but you pick and choose roles--terminal service role, domain controller role. It allows organizations to manage better. Once you understand the base of what you have to install, you install only what you need, rather than install everything and then knock things down."

Windows Server 2008 enables a number of key security features of Vista, notably Network Access Protection (NAP). Some customers are co-deploying, having held off on Vista until they were ready to launch Windows Server 2008.

"It's a chicken-and-egg kind of thing," says Morimoto. "A lot of customers looking to roll out new desktops would deploy XP if they don't roll out 2008. But if they do 2008, they need Vista to take full advantage, so most early 2008 adopters are rolling out Vista as well."

Morimoto feels there's still room for improvement, but that the Windows Server 2008 platform provides for strong, integrated security across Microsoft's application suites.

"Microsoft took the first step," he says. "The platform is there, the hooks for the applications are there. It's a matter of stepping up and tying the apps--for example, say through an Exchange service pack--to improve a what Windows Server 2008 has begun."


Dig Deeper on Information security policies, procedures and guidelines