Security Enhancements Abound in Windows Server 2008

Six years ago, Microsoft chairman Bill Gates put security at the top of the agenda with the announcement of the company's Trustworthy Computing initiative. The fruits of this initiative are evident in Microsoft's Windows Server 2008, which is packed with new security features and enhancements straight out of the box.

It's rarely wise to state that a new operating system is more secure than its predecessor because security flaws can take months to come to light after the software is released, but in the case of Windows Server 2008, we can say it with some confidence. That's because it shares the same code base as Windows Vista, which was released more than 18 months ago—so in effect the code is already tried and tested, and security patches to Vista have been incorporated into the Windows Server 2008 code.

So what are the new security features and enhancements? They range from an improved software firewall that adds to the corporate gateway, to little touches like Address Space Layout Randomization, which makes it harder for hackers to exploit flaws in applications to compromise the entire server.

Here are just a few more notable security features:

Server Core Installation Option
When a physical machine is to be used for one of a handful of specific server roles, you may decide that the very highest level of security is warranted, even at the expense of administrative convenience. That's where the Server Core installation option comes in handy. It allows you to implement an absolute minimal Windows Server 2008 install, with (almost) no graphical user interface; no unnecessary features, modules or running services; and only about a quarter of the code of a full Windows Server 2008 installation.

This hardened installation is more secure because with less code running there is a much smaller attack surface for a hacker to exploit. Microsoft also estimates that a Server Core installation needs 60 percent fewer patches than a full installation.

You can use Server Core in nine different server roles:

• Active Directory Domain Services
• Active Directory Lightweight Directory Services
• DHCP Server
• DNS Server
• File Services
• Print Services
• Streaming Media Services
• Web Server (IIS 7.0)
• Hyper-V (Windows Server Virtualization)

BitLocker Drive Encryption
BitLocker allows you to encrypt any drive on a Windows Server 2008 machine, including the operating system drive itself. This is important because without encryption anyone gaining physical access to the server could potentially steal the machine or its hard drives, or could boot the server into a different operating system such as Linux from a USB stick or CD and access resources like password hash files, which would normally be protected by the server operating system.

At startup BitLocker checks that no changes have been made to boot components (by a hacker or by malware), and that the operating system drive is in the expected computer before allowing the server to boot and allowing decryption when required.

BitLocker works with Trusted Platform Module (TPM) hardware if the server has it, or it can be used with a USB drive containing an encryption key.

Network Access Protection (NAP)
NAP is Microsoft's version of network access control, a technology that enables you to specify policies that dictate what security software must be running on client machines before they can connect to the corporate network. It can also be used to prevent unknown machines from connecting.

This can help prevent network intrusions from unauthorized computers, and reduce the likelihood of users unwittingly compromising systems on the network by introducing malware from infected client machines.

If a user tries to connect to a Windows Server 2008 machine using a laptop that is not running the anti-virus software specified by corporate policy, for example, or if it doesn't have the most recent virus definitions, it is placed "in quarantine" in a virtual LAN where it can connect to patch servers that can provide it with the necessary software. Once the laptop conforms to all the policy requirements it can then reattempt to connect to the server.

Digitally Signed OS Files
An obvious way for an attacker to compromise the security of a server is to replace or modify system files with malicious ones. To prevent this, Windows Server 2008 uses digitally signed executable and dynamic link library (dll) files, and the operating system checks these signatures to ensure the integrity of these files before loading them in to memory.

Address Space Layout Randomization (ASLR)
One of the most common methods that hackers use to get control of a server is to exploit flaws in application code to carry out buffer overflow attacks. This involves providing an application with more data than it expects, and getting this data (some of which is malicious software known as shell code) to overflow into an area of the computer where it can be run.

Getting it to run usually involves making use of at least one core system dll, and to do this the hacker has to know its exact location in memory. In the past these locations were fixed, but Windows Server 2008 uses ASLR to load these dlls into different memory addresses each time Windows Server 2008 is booted, making it almost impossible for a hacker to get the shell code to run.

To prevent a hacker from making repeated attempts to guess the correct address, Windows Server 2008 requires that the system is rebooted after 10 process crashes (which usually follow unsuccessful guesses).

Read Only Domain Controllers (RODCs)
Servers in branch offices are potential security vulnerabilities, as access control to these machines is often less strict than with servers in corporate datacenters.

If the branch office server in question is a Domain Controller, a serious security breach could result if an intruder with access to the domain controller made changes to the Active Directory Domain Services database, as these changes would be propagated throughout the organization. Previously the only alternative was for branch office users to connect to a Domain Controller at the corporate datacenter, often resulting in slow log-ons—especially if the branch office only has a low bandwidth wide area connection (WAN) link.

With Windows Server 2008's RODC feature, branch offices can host Domain Controllers that are read-only. Since changes to the Domain Services database can only be made directly at the datacenter and not at the branch office, this means that Domain Controllers can now be run at branch offices with the risk of unauthorized users gaining access to them and corrupting the database.

These are just a few of the new security measures in Windows Server 2008—there are many more that haven't been touched upon. But together these illustrate the point that Microsoft is taking its Trustworthy Computing initiative seriously, and all the signs indicate that Windows Server 2008 is the company's most secure server platform ever.