This article can also be found in the Premium Editorial Download "Information Security magazine: Unwrapping Windows Server 2003: An exclusive first look at Microsoft's new OS."
Download it now to read this article plus other related content.
For Enterasys Networks CIO Len Couture, Windows Server 2003's granular controls and enhanced security features make it an attractive operating system. And migrating to the new platform was relatively straightforward, since the new OS shared the same basic architecture as Windows 2000.
When the transition program started, employees would often log out of Win2K, depart for the weekend, and log in Monday morning to a Win2003 server. In all, Enterasys, a maker of networking and security solutions, has migrated its 41 servers that support 1,700 employees at 55 sites around the world.
"It hasn't been as easy as putting in a CD," says Couture, who participated in the Win2003 beta program. "Some pieces have been time-consuming, but that's part of the process."
Adopting Win2003 isn't supposed to be simple, says Chris Cannon, product manager for Microsoft Windows group. Microsoft wants enterprises to think about how they're deploying the operating system for efficiency, effectiveness and security. Win2K users will find the migration process relatively clear-cut, while Windows NT 4.0 users will have more to consider and more difficulties transitioning to an Active Directory environment. In both cases, planning and preparation are vitally important.
Cannon recommends a four-phase transition process: assessing and planning, preparation, migration and post-migration cleanup.
Assessment and Planning: Before placing the Win2003 CD in any server, Cannon says, users should first study what systems they're moving to Win2003, then determine how they're going to roll out the new OS to different network segments. They also should develop contingency plans for data recovery and fallback servers in case the installation fails, he says.
Preparation: Enterprises have a choice when migrating to Win2003--install on an existing production server or install on a replacement server. Some enterprises won't feel comfortable with a hot installation on an in-service production server, fearing problems will cause network disruptions. Installing on a new server gives enterprises the opportunity to immediately fall back to their legacy server if the Win2003 installation doesn't take.
Particularly important to NT environments is creating trusted relationships between NT machines and the Win2003 Active Directory-based environment. During the migration, older NT machines must be able to see the accounts in the new environment. Microsoft makes Active Directory migration tools to aid in this process.
Transitioning: Enterprises can either migrate all their servers en masse or phase in the transition. As Cannon explains, Win2003 is compatible with NT and Win2K, and there's no requirement for deploying a homogenous Win2003 environment.
Microsoft even made provisions for backwards compatibility in IIS 6.0, allowing it to run either as the new version or emulation of IIS 5.0. (IIS 6.0 comes with services default off. However, if IIS is installed on an existing system, it will automatically turn on services that were running on IIS 5.0--albeit in a high-security state similar to the security zone settings in Internet Explorer.)
Post-migration Cleanup: Once Win2003 is installed, enterprises must verify that applications that are Active Directory-aware will recognize the extended schemas of the Win2003 environment. The additional attributes give Win2003 greater granular control of access to network resources than Win2K, but don't always port over from legacy settings.
Win2003 allows admins to test Active Directory paths before implementing them, and the ability to back out to a previous state. Microsoft says Win2003 is a "more secure" operating system, but it still isn't secure out of the box. The OS requires fine-tuning to make it secure, and Microsoft is providing a number of security guidelines and tools to help users. More tools are expected to help harden other components--such as an IIS hardening tool.
Regardless of security improvements in Win2003, some say making the OS more difficult to deploy and use will ultimately help security. "It's certainly important that it comes out of the box in a default configuration that's more secure," says John Pescatore, VP of infosec research at Gartner.
When Microsoft released NT and Win2K, Gartner recommended enterprises wait 18 months before upgrading until the bugs and initial vulnerabilities were corrected. Gartner is recommending a 12-month wait for Win2003.
So far, users are enamored with Win2003's security and operating improvements, but not even Microsoft expects widespread adoption until the release of service pack 1. Still, early adopters say this healthy skepticism shouldn't deter enterprises from considering upgrading. "Microsoft is certain to get it right on this stuff," says Enterasys' Couture.
More information on migrating to Windows Server 2003.
This was first published in April 2003