If you missed the first part in this series, click here to read "Changes to Default Settings Make Windows Server 2003 More Secure (Part 1).
A few weeks ago, in Part 1 of this two-part article, we discussed how today's high risk computing environment, rife with viruses, worms and potential intruders and attackers, means today's operating systems must take a different approach to security from those of the past. It is more important than ever that higher security be part of the default configuration. Consequently, Microsoft has made a number of changes to the default settings in Windows 2003 to make it more secure "out of the box."
We already looked at some of those changes, including differences in default permissions (both share and NTFS), changes to the membership of the Everyone group, and changes to ownership of objects. In Part 2, we'll examine the changes that have been made to the default settings for common services and changes in the authentication process, and we'll discuss some areas in which some believe that Server 2003's defaults are still too open.
Default Settings for Common Services
Another change in Windows Server 2003 is that a smaller number of services now run under the local system's account. Almost all services used this account in Windows 2000. Programs that run in this context have unlimited privileges on the local computer, which presents an obvious security risk. Instead of using the local system account, some common services now use the local service or network service account. These accounts have much a lower level of privileges than the local system account.
There are still many services that do log on as the local system (for example, the Automatic Updates service, the computer browser service and the DHCP client, along with many others, still use the local system account). However, several others do not. For example, the Alerter service, which used the local system account in Windows 2000, uses the local service account in Server 2003, and the DNS, which used the local system account in Windows 2000, uses the network service account in Server 2003. This provides for better security.
Changes in the Authentication Process
The authentication process has been improved for better security, both when logging onto the local computer and when logging onto a domain. One important change for local computer authentication is the inability to use blank passwords when accessing the system remotely (note, however, that blank passwords can still be used at the console).
Cross-forest trusts are a new feature for Active Directory domain authentication. A forest trust uses Kerberos v5 or NTLM, routing the authentication requests across forests. Administrators can control the scope of authentication between two forests that have a trust relationship, using selective authentication. When the selective authentication option is in use, you can manually set permissions on the domains and resources to which you want to grant access to users in the other forest.
Changes to IIS
Some of the most dramatic changes are to the default settings in IIS 6.0. The web server now is not installed by default when you install Server 2003 Standard, Enterprise and Datacenter editions (it is installed in Web Server edition, for obvious reasons). This helps to eliminate the all too common occurrence in which administrators are inadvertently running rogue web servers on the network.
If you do install IIS 6.0, by default it is in a "locked down" mode in which dynamic content components such as ASP, WebDAV and FrontPage extensions are disabled. IIS 6.0 also includes new authentication method and URL authorization for greater security. For more information about IIS 6.0's new security features, see my article titled What's New in Windows 2003 Server: IIS Security Enhancements on this site at http://www.windowsecurity.com/articles/IIS_Security_Enhancements.html.
Easily Reapply Security Defaults
A new feature in Server 2003 security lets you easily reapply the default security settings if you've made changes. There are two ways to do this:
- With the graphical interface
- At the command line
To reapply the settings with the GUI, you use the Security Configuration and Analysis tool (create a custom MMC and add the Security Configuration and Analysis snap-in). Log on with the appropriate administrative privileges (local administrator to reapply default settings to the local computer or domain or enterprise admin privileges to reapply settings to a domain computer). You must import the appropriate template (DC security template for domain controllers or the setup security template for non-domain controllers), then do the following:
- Check the Clear this database before importing checkbox.
- Click Open.
- Right click Security Configuration and Analysis in the console tree and select Configure Computer Now.
- Specify a file path for the error log or accept the default path.
- Click OK to perform the configuration.
You can also use the secedit command to reapply default settings for specific areas instead of applying the entire setup security template.
NOTE: For more information about how to use the command line to reapply settings, see secedit /configure in the Windows Server 2003 Help files.
Are the Defaults Still Not Locked Down Enough?
Proponents of a strict "principle of least privilege" security philosophy are pleased that Microsoft has taken steps to provide a more locked down environment out of the box for Windows Server 2003, but argue that they haven't gone far enough. The question is, as always: how much accessibility are users and administrators will to trade for more security?
In my previous career, I was a police academy trainer and taught defensive tactics to young recruits. A question that always came up with rookie police officers was that of the "security holster" - these were designed to make it more difficult for a bad guy to take away the police officer's gun. The only problem was that, with many of these high security holsters, we found in firearms training exercises that the officer him/herself wasn't able to draw the weapon when it was needed - yes, Virginia, maybe there is such a thing as too much security.
Similarly, we're already hearing complaints from web administrators about IIS 6.0 - so many features are "turned off" by default that the functionality of the application is impaired. At the academy, we advised those who chose to use high security holsters that the price they had to pay was much more practice to learn to use them. The same holds true for new high security operating systems and applications: the learning curve is going to be greater. This is not necessarily a bad thing, but it's important that this tradeoff be understood upfront. Security comes with a price, and that price is accessibility. In today's dangerous world (both online and off), it is often an acceptable price.
Windows Server 2003 includes many new security features, and default settings that provide tighter security (and less accessibility) than in previous versions of Windows is one of those features. In this two-part article, we took a look at how the new default settings make Windows Server 2003 the most secure Microsoft server operating system yet.