Page 1 of 4
|
Let's face it, Microsoft is a lighting rod when it comes to security. In past weeks, it's drawn fire from McAfee and the European Union, among others, over closing the Vista kernel. Furthermore, the first Vista exploit was made public on Dec. 22, just three weeks after the OS's general release.
One bright spot for Redmond is Windows Longhorn Server, a ground-up redesign of the Windows kernel. Longhorn has a real focus on increased security, as well as simplified management and improved performance. To find out just how significant a change Microsoft's next-generation server OS will be for the enterprise, we brought a beta version of the code into our Syracuse University Real-World Labs® and tried out the new security features.
After weeks of hammering, picking and probing, we walked away impressed. As Microsoft promised, Longhorn offers significant security improvements in the areas of setup and configuration, OS modularity and client health detection, plus an enhanced firewall and a new IP stack.
More subtly, you'll find the kind of attention to security details that Microsoft products have lacked in the past. Take, for example, the best little feature that you may never even notice: While the Initial Configuration tasks wizard is running, the server cannot be accessed through the network. Touches like this bode well. On a larger scale, Longhorn incorporates Microsoft's NAP (Network Access Protection) technology to provide added safeguards for remote-access connections.
Unfortunately, the best technological innovation in Longhorn, namely NAP, requires changes to existing desktops, which we're always loath to recommend. At a minimum, taking full advantage of Longhorn Server will mean an upgrade to existing XP installations or a migration to Vista--something most organizations, particularly those with a mix of client OSs, will find hard to swallow. Assuming Vista's presence is a nonstarter.
In addition, IT will have to invest in education: Given the alerts generated by NAP, administrators run the risk of tearing their hair out as tighter restrictions on the network force more users to perform remedial actions. IT must adjust its business plan and set internal expectations accordingly. It may well be that the full return on a Longhorn upgrade will only be realized as endpoints are upgraded.
Triple-play Protection
With NAP, Longhorn goes beyond Server 2003's Network Access Quarantine Control--which offered added protection only to remote-access connections--to protect all VPN-, DHCP- and IPsec-based communications.
In a nutshell, NAP provides three functions needed to protect the enterprise from rogue clients: Network restriction limits access to clients that are in compliance with corporate security policies. Rogue clients are quarantined for further remediation. NAP also provides IT with network-policy validation for required patches, current antivirus signatures and proper firewall configuration settings.
Finally, NAP takes measures to remediate the client. Network access control--where, if a client fails the health-check policies, administrators can update them automatically to compliant levels--requires client-management software, such as Microsoft SMS (Systems Management Server). A monitoring-only configuration is also supported that would allow noncompliant clients access to some network resources while administrators remediate compliance levels at a later time. For an overview of NAP, see "Microsoft NAP Architecture Summary," below.
To enable NAP, endpoints need a NAP Client agent, included with Vista and Longhorn, and currently in beta tests for XP. The process is a little more complex for NAP servers, which must be running NAP Administration Server, a System Health Validator, a Health Policy, a Health Certificate Server, a Remediation Server and a Policy Server.
The good news is that NAP is hardly hype. On our test network of two Longhorn servers, we were able to configure an Authorization Policy that restricted VPN access to clients that had Windows Firewall enabled. Clients that failed to comply with our Authorization Policy were directed to a Web page on our restricted-access remediation server, which notified users that their connections had failed and provided information on how to conform with the policy--in this case, by enabling the desktop firewall. Obviously, this is a simple test, but we believe network administrators will be able to tailor the System Health Validators and Authorization Policies to their environments. For much more on NAP, see "The Plot Thickens".
Continue Reading This Story...
| |
   CLICK ON AN IMAGE TO SEE THE GALLERY |
|
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
