Some thoughts about Windows Server 2008


Windows Server 2008 has shipped! And a fine product it is, too!


Windows Server 2008 is the first Windows Server to go through the full SDL process, making it the most secure version of Windows Server to date. We raised the security bar in Windows Vista, and we REALLY raised the bar in Windows Server 2008.


Windows Server 2008 is a prime product example of our ongoing commitment to Trustworthy Computing, and how the company is making good on its commitment to continue to build the most secure computing environment possible. After the Trustworthy Computing commitment was made a few years ago, we’ve has made great strides in the right direction, and last week’s product launch (Windows Server 2008, SQL Server 2008, and Visual Studio 2008) clearly shows that security remains a top priority.


While I tend to focus on “Secure Features” Windows Server 2008 is full of “Security Features.” Someone asked me for my favorite security features. In no particular order, they are:



  • The various defenses we see in Windows Vista: stack defenses, heap defenses, ASLR, NX etc etc

  • Server Core (ok, technically not a security feature, but a critical way to dramatically reduce a server’s attack surface)

  • Network Access Protection (NAP)

  • Server and Domain Isolation

  • Read-Only Domain Controllers

  • Suite-B crypto support

Oh, the Windows Server 2008 Security Guide is now available!

Comments (11)

  1. Când am lansat Windows Vista și Office 2007 în decembrie 2006 , am amintit că dacă m-ar întreba cineva

  2. Mark Sowul says:

    I’ve mentioned this before elsewhere, but very rarely, if ever, do security bulletins mention the impact of DEP as a mitigating factor for those who have it set to OptOut (the only problem app I have is a plugin for Outlook, which means Outlook has it disabled).  For example, the infamous WMF exploit from a few years ago was blocked by DEP but that was never mentioned.

  3. NicoAtMicrosoft says:

    There’s still a chance to attend one of the launch events in various cities, too!  The LA Event was fun, and Steve Ballmer’s keynote was particularly nice to watch.

    **************

    Nico del Castillo

    Microsoft 2008 Joint Launch Team

    http://www.microsoft.com/2008jointlaunch

  4. Mark Sowul says:

    Oh, I absolutely agree with you on judging Vista not just on vulnerabilities but the defense-in-depth mentality – I am just speaking in terms of "am I susceptible to this vulnerability given that it does exist" and rarely is DEP mentioned as a mitigating factor.  

    What made me think of this particularly is the new Facebook/MySpace image uploader ActiveX vulnerability – I suspect the combination of IE7 in protected mode plus the fact that it runs under DEP means I would not be vulnerable to it, since it’s your usual run-of-the-mill stack buffer overrun, but rarely are these kinds of things pointed out in vulnerability notices.

  5. Osama Salah says:

    "…making it the most secure version of Windows Server to date"

    how can someone make such a claim if its barely being used? You can prove its secure only by failing to break it and for that it hasn’t been adopted long enough.

    You can only theoretically hope it is more secure because you improved your development process, but that’s speculative again. Maybe the SDL implementation at MS is flawed, etc.

    so be careful with such statements.

    In all cases I do sincerely hope that Windows 2008 will offer superior security.

  6. Osama. by looking at new security bugs that get reported to us, and noticing that they don’t affect the product!

  7. Osama Salah says:

    that makes sense to see a trend there and make such a prognosis.

    In all cases I do expect a new product to be more secure than a previous one, the benchmark would be the incremental improvement achieved and judging from the new features and architectural improvements it is very promising. It will of course have a few security problems that will affect it, but such is life. Besides you need something for Windows 2010 😉

    rgds

    Osama Salah

  8. Alistair Railton says:

    Yes Micheal it is a fine looking product. And I haven’t bumped into your name for at least 20 years !!! Damn you must be old now :p

    I was suprised to see how easy it blue screened when remote administration is used. This is easy to rectify by not using vista themes on the server, however it does trigger a thought or two.

    If you want more information on the blue screen problem then yell out, but it seems to only happen if the aero theme is turned on, the administrator is logged into the server console and a rdp connect is performed by the administrator.

  9. Bloody Hell, Railton!! How’re you? Email me your contact info. You can send it by selecting This Blog –> Email at the top right of the blog.