Microsoft: Home Server Sports Serious Security
The new server software, which Microsoft will debut in the third quarter inside a Hewlett-Packard box, has bits and pieces from other versions of Windows -- including some from the upcoming Longhorn server -- but "under the hood, it's essentially technology from Windows Server 2003," says Todd Headrick, Microsoft's product planner for Home Server.
Among the security steps Microsoft has taken in the software, adds Headrick, are to turn remote access off by default, open only those ports necessary for remote access when it is enabled, and to work with third-party vendors on potential add-on security.
"We're working with a variety of anti-virus [companies] for them to provide solutions if they want to run it on the server," says Headrick. He did not name the vendors. Like other editions of Windows, Home Server won't come with anti-virus software pre-installed. "Think of this as a new version of Windows if you want," says Headrick.
That also means it will need to be patched against future flaws. Windows Update -- the same service and mechanism used by consumer PCs -- will be set to automatically retrieve and install fixes. And the Home Server software will be added to the list of supported operating systems that Microsoft's security group monitors. "We'll manage vulnerabilities and patches [for Home Server] just like we manage all other vulnerabilities and patches," Headrick says.
"We've set Automatic Updates [to go online] daily at 4 a.m., when the house is sleeping."
One thing that Home Server won't do, however, is grab security updates for the home's PCs for distribution across the home network, a technique commonly used in enterprises to roll out patches for the company's desktops.
"We thought a lot about that and did quite a bit of analysis," Headrick says. "But we decided not to do it. First, the PCs don't stay tethered to the house. Families are buying more laptops, and if we had set Home Server [as the patch manager] a laptop that was out of the house for a month or more would be unprotected. We didn't want to be the bottleneck to those computers getting patched," says Headrick.
"And when we looked at bandwidth [as a reason to push patches from the server], we figured out that the amount of bandwidth taken up by patching just two or three or four PCs is minimal."
The server, however, won't be invulnerable to attack, Headrick acknowledges. Although the hardware will plug into the router -- and so will be protected behind that device's firewall -- an attack on one of the outward-facing PCs could be crafted to also compromise the data repository, a potentially lucrative target for cyber criminals and scammers.
"Yes, it would be possible. People do a lot of stupid things, like opening attachments," Headrick says. "We can't keep them from doing that."
Headrick also promised that the software, which will move into a second round of beta testing before the end of the month, will make security setup and management a snap. Initial setup will be conducted through one or more wizards that pose easy-to-understand questions, Headrick says, while later management of Home Server's security can be done from a PC connected to the network via a Web-based console.
Other security features in the server software are specific to Windows Vista. PCs running Vista will report their security status to the server, which in turn will alert the administrator -- presumably a parent -- that one or more systems need attention. The server, however, won't sport Vista-specific security provisions that Microsoft has touted, including User Account Control, a feature meant to make it more difficult for attackers to plant malicious code without the user's knowledge.
Even so, Headrick is confident that Home Server will stand up to scrutiny and properly protect a home's data investment. "We've learned a lot over the last two years, since Windows Server 2003 [released]."