Published: 01 Feb 2008
| Unwrap Windows Server 2008, the first server revision under Trustworthy Computing. Microsoft promises it is secure by design, default and deployment.
"There's no doubt about it; this is the first full Windows Server revision [under Trust- worthy Computing]," says Rand Morimoto, CEO and principal consultant for Oakland-based Convergent Computing, which has been piloting Windows Server 2008 internally and for customers. "When they came out with Windows Server 2003, it had already been half baked before Trustworthy Computing began. Windows Server 2008 is built from scratch--the server core has a lot of security built in."
The verdict on the inherent security of Server 2008's code will be rendered in the number and severity of vulnerabilities that come to light in the months and years following its release (manufacturing release is scheduled for Feb. 27). Microsoft trumpets security as the primary design consideration for Windows Server 2008, the product of its security development lifecycle process (SDL). It retrained its development staff on how to write secure code and created threat models, performing extensive security testing against each model. These efforts should go a long way toward reducing flaws that can be exploited; for example, you won't have to worry about things like buffer overflow attacks against your Windows Server 2008 systems.
Is that sufficient reason to upgrade? Perhaps, but in addition to changes in the code itself, Windows Server 2008 provides many new data and network protection features and enhancements that allow you to more easily respond to new security compliance requirements. We'll focus on what Microsoft has done under the hood, as well as a few of the features that secure your directory services, data and network environments.
| ARMORED OS
Windows Server 2008 introduces a number of mechanisms to help bulletproof the operating system, starting with BitLocker Drive Encryption, an optional mechanism to encrypt OS volumes while protecting the integrity of the Windows boot process. Encrypting the entire operating system volume on the hard disk hardens the OS against software attacks and loss of any other data on the drive.
BitLocker mitigates the impact of unauthorized access through two separate protection procedures: drive encryption and secure startup (integrity verification).
All user and system files on the volume are encrypted, including user data, the page file and temp files. It also provides protection for any third-party applications when installed on the encrypted volume. Drive encryption is designed to work in conjunction with a Trusted Platform Module (TPM 1.2) chipset; however, it will function on a system without TPM as long as the BIOS can boot from a USB flash drive.
As with many security technologies, there is a corresponding tradeoff in ease of management. System upgrades will require you to decrypt the volume; non-Microsoft software updates will require you to completely disable BitLocker before you start, else the system will enter a recovery mode and require a recovery key or password to be accessed. On the other hand, setup and management is wizard-based and is extensible through a Windows Man-agement Instrumentation (WMI) interface.
Microsoft says there is no noticeable performance impact on the server, as it imposes only a single-digit percentage increase in overhead. Encryption occurs in the background and proceeds at a rate of approximately 1 GB per minute in most cases.
Secure startup, which requires the TPM 1.2 chipset, protects the integrity of the boot process and protects against data theft or system tampering when the OS is offline or even while it is being installed. It helps to ensure that data decryption is performed only if the boot components appear unmolested and that the encrypted drive is located in the original computer. If the system is tampered with, it will be locked and refuse to boot. No ports will be opened until the OS is fully booted.
| Windows Server 2008 extends its OS security features once a server is running as well. It uses digital signatures to stop hackers (or malware) from replacing operating system files with malicious files of the same name. All of the operating system's executables and dynamic link libraries (DLLs) have been digitally signed, and the OS checks the signatures prior to loading these files into memory.
In addition, Windows Server 2008 uses a technique called Address Space Layout Randomization to thwart attacks such as buffer overflows that target known addresses in the system for specific bits of code. Earlier Windows OSes use tables of hard-coded addresses, which were easy to exploit. Malware could be written to target those specific locations, then propagate to the machine through a buffer overflow. The new technique randomly arranges the positions of key data areas each time the system boots, making it look "different" to malware each time, providing protection against automated attacks.
If a piece of malware targets the wrong location, it will most likely crash the process. Windows Server 2008 has a restart limit of 10, so if a process is scheduled for auto start, which most are, the malware can't just blindly try 256 times, wait for the service to restart and then try again. After the 10th time, the server requires a reboot. At that point, an administrator should certainly realize that the system may be under attack and figure out what's going on by looking at the event logs or receiving a notification from a management utility.
Firewall rules now control outbound as well as inbound traffic.
FIREWALL LOOKS BOTH WAYS
The latest version of the firewall is easier to configure as well.
| Application rules are still based on path and are not hashed values of the executable, but you can specify an individual service by service name alone, instead of having to specify the exact path to the service.
Also, in previous versions of the operating system, traditional firewall behavior and IPsec policy management were handled by different interfaces. Administrators often found this confusing, and confusion leads to configuration mistakes--which can lead to potential security breaches. The firewall is now fully integrated with IPsec.
PUTTING SERVICES IN THEIR PLACE
Windows Server 2008 will limit the damage that a compromised system can do through a reduced attack surface and Windows Service Hard-ening, which uses the principle of least privilege. The number of services installed and/or running by default has been greatly reduced, presenting fewer targets for malware.
Microsoft tackles the issue of privilege with more granular service account options. Win-dows Server 2003 and Windows XP use three service accounts (NetworkService, LocalService and Local-System). If a service running under one of those accounts was infected, malware injected onto the system would run with the full rights of that service account. That was particularly bad under the "super-admin" local system account, which gave malware an entry point to your entire network.
| Windows Server 2008 addresses this problem by expanding to six service accounts, each with a specific scope and capabilities to provide for more granular control (see "Securing Windows Services," (PDF) below). To strip services of permissions they don't require, a number of services that used to run under the context of the Local-System account now run under a less-privileged account, such as LocalService or NetworkService. Critical Windows services are now restricted so they can't behave beyond their normal operating parameters. For example, the Re-mote Procedure Call (RPC) service cannot replace system files or modify the registry.
You can even specify which privileges or special powers a service can have (shutdown, audit, etc.), so malware doesn't have access to all the default privileges of the account under which the compromised service is running.
Further, services now have a unique security identifier (SID), so they can no longer run under the radar. In previous server OSes, a service would run anonymously under the context of the service account it was configured to use, such as LocalSystem, giving the service extensive privileges on the local computer. That meant you could only apply an Access Control List (ACL) against the service account--generally not a practical solution--not the actual service, essentially giving administrative control to an anonymous entity. With unique SIDs, ACLs can be applied to specific services for tight control.
This can be taken a step further by applying a write-restricted token to the service process. Write attempts to resources that do not explicitly grant the service SID access will fail.
| LOOK, BUT DON'T TOUCH
Active Directory (AD) is at the heart of your security infrastructure--it's where you set and manage access and authorization. It can also be a huge security risk when it sits in a branch office or anywhere you cannot prevent tampering.
Network Policy and Access Services provides
components required for implementing
Network Access Protection.
Windows Server 2008 addresses this with a Read-Only Domain Controller (RODC), an AD domain controller that contains a read-only version of the AD Directory Services (AD DS) database and is designed to be placed in remote locations or anywhere that physical security of the server cannot be guaranteed. The AD DS replica on the RODC is bulletproof; any changes must be made on a writable domain controller and replicated to the RODC. By default, account passwords are not stored on an RODC and a Password Replication Policy determines if a user's or computer's credentials can be replicated from the writable domain controller.
You can also give a local user limited rights to perform maintenance work on the domain controller, such as upgrading a driver, without giving them control over other domain controllers or compromising the security of the AD DS.
RODCs can relieve a lot of security headaches, but you still need to keep a close eye on who's doing what to your writable AD domain controllers (especially if you elect to put one in a remote location, where you can't assure its physical security). Previous server OSes offered very limited security monitoring/logging capabilities, simply logging the name of an attribute that was changed, not the actual changes. The audit directory service access global audit policy now can log old and new values of an attribute when a successful change is made to that attribute (for example, who changed a password). In Windows Server 2008, this policy is enabled by default and is divided into four subcategories to provide for more granular auditing.
Windows Server 2008 enables Network Access Protection (NAP), Microsoft's response to the network access control (NAC) issue, on Vista clients. NAP allows organizations to check a computer's compliance with security policy (up-to-date antivirus, patch level, etc.), with options to quarantine and remediate them. Using software management applications, administrators have the option to automatically update noncompliant computers. Windows Server 2008 provides a variety of server-side components for NAP: Health Policies, NAP Administration Server, System Health Validators, NAP Enforcement components (for IPsec communications, 802.1x, VPN and DHCP), and remediation. The specific components to be installed, the number of servers required and which components go on which servers varies depending on the enforcement methods being supported.
Through a subscription, you can collect logs from
multiple remote computers and store them in a local XML file.
Pulling Logs Together
| SECURITY FIRST
Microsoft is touting Windows Server 2008 to be its most advanced operating system yet. Beyond security, there are notable improvements in networking, remote application access, centralized role management, performance and reliability monitoring tools, failover clustering, deployment and the file system.
Windows Server 2008 provides that security foundation for the demanding and varied needs of today's business environments. In particular, Windows Service Hardening is the primary incentive to upgrade your servers. It limits how much damage an attacker can do in the unlikely event a service is compromised. The cost of a security compromise can be huge--witness the impact of Blaster. Microsoft says Blaster would not have been successful against Windows Server 2008.
Of course, as with all new products, you should look at your own infrastructure and business needs to determine if, or how fast, to deploy Windows Server 2008. Test it thoroughly in your environment, perhaps through a pilot program, before widespread implementation.
Read an interview with Bill Laing, Windows Server Division general manager, at searchsecurity.com.