|
Where Microsoft Stands With Security
Recent releases to implement security include Windows Server Update Services and Service Pack 1 for Windows Server 2003.
by Danielle Ruest and Nelson Ruest
Tech•Ed, June 6, 2005
At Tech•Ed two years ago, Microsoft chief security strategist Scott Charney delivered a keynote focused on how Microsoft wasn't doing well in security. His main point was that Microsoft had too many delivery systems for patches and security updates—eight different systems in fact.
The result: the upcoming Windows Server Update Services (WSUS), which is in Release Candidate right now. For the first time, Microsoft has one single integrated approach to patch management. WSUS provides a framework upon which all Microsoft software will eventually be maintained. WSUS will manage only core Microsoft technologies such as Windows, SQL Server, Exchange, and Office in its first release, but the framework it is built on allows you to add any other Microsoft product without requiring you to change anything at the level of operations practices or architecture.
WSUS also supports the integration of third-party products. Its interface is simple to use, its reports are excellent, and it is intelligent enough to know whether a computer system requires a given patch—all features that were sorely lacking in the previous Software Update Services version.
Another sign that Microsoft is taking security seriously is the recent release of Service Pack 1 for Windows Server 2003. As you might know, this service pack is touted as the most secure version of the server to date. It includes the Security Configuration Wizard (SCW), a powerful interface that lets you secure servers on a role basis, letting you turn on just enough to let the server provide the services it is designed to, and only that.
But SCW's best feature is not only the ability to lock down a system and lock it for good, but rather the explanations it provides about why you might want to turn off this or that service, port, or protocol. SCW also generates templates that you can use to modify and lock down systems one after the other. You can even apply these templates at system construction, making sure systems are safe and secure right out of the box. If you lock down a system so completely, on the other hand, you're bound to break things. One case in point is Dell's Open Manager: You'll need an updated version to be able to run it with Service Pack 1. This is only one example, so make sure you learn just what works and what doesn't with Service Pack 1 (see Resources).
Microsoft is also working on the upcoming R2 version of Windows Server 2003. R2 is touted as "built on Windows Server Service Pack 1," so it means an even more secure operating system. One new feature is Active Directory Federation Services, a Web-service based authentication model that lets Windows and Unix share authentication services beyond the firewall without having to establish trusts between the organizations. Users are authenticated in their own domains and are granted limited access rights in shared environments.
A whole series of new features has surfaced as a direct result of Charney's efforts starting two years ago, many of which are evident in Microsoft's new and upcoming products, but also in increased prescriptive guidance on database security, wireless computing, digital rights management, secure development practices, messaging, perimeter networks, public key infrastructures, and risk management.
Back to top
|