Microsoft Details Windows Server 2003 Security Enhancements

Mike Nash, corporate vice president of Microsoft's Security Business Unit, on Thursday discussed several of the upcoming product's enhancements during a presentation here on the company's security efforts.

To make Windows Server 2003 more secure, more than 20 services in Windows Server 2003 will be turned off by default, Nash said. Out of the box, Internet Explorer in Windows Server 2003 will have limited functionality, he said. IE technologies will ship with a default security setting of high. Plus, users can't log on remotely using an account with a blank password.

Windows Server 2003 will also include a redesign of Microsoft's Internet Information Services (IIS) that enables a low-privilege user account to limit network access as a way to reduce potential attacks. Also, a Common Language Runtime (CLR) engine will help reduce the number of security flaws caused by common programming mistakes, Microsoft said.

The software also includes enhanced public key infrastructure (PKI) services and provides for role-based authentication, Nash said.

This summer, Microsoft said it plans to introduce the Secure Configuration Wizard, an add-on component for Windows Server 2003 that will automate the configuration of servers for optimal security, depending on server roles.

Windows Server 2003, slated for release in April, strikes "a balance between functionality and security," Nash said.

He said the product was built to be secure by design, default and deployment. Microsoft adopted the three-pronged strategy to boost the security of the Windows platform as part of its Trustworthy Computing initiative.

Nash said Microsoft has invested $200 million to improve the security in the Windows platform. That amount includes money spent to have developers examine code and third-party software penetration testing, he said.

The core tenets of the company's Trustworthy Computing initiative are security, privacy, reliability and business integrity, Nash said.

"The vision here is to make software as trustworthy as a modern public utility," he said.

A year ago, Microsoft Chairman and Chief Software Architect Bill Gates issued a directive to employees to focus on security over features in product development.

In the future, Nash said customers and partners can expect Microsoft to provide security fixes in the form of service packs for existing products as necessary, as well as continued improvement in the patching process.

"The key thing we realize is this [Trustworthy Computing] is an ongoing process. It's not a one-year initiative," he said.