News

Security Lockdown Wizard Coming to Windows 2003 in SP1

• By Scott Bekker
• 11/04/2003

Microsoft chairman and chief software architect Bill Gates mentioned such functionality during his Microsoft Professional Developers Conference keynote in Los Angeles last week. While discussing security enhancements coming in future service packs, Gates said Windows 2003 SP1 could contain a “simple configuration where you can say what the type of the server is, and have all things locked down according to exactly that use.”

The decision to put the security feature in SP1 means the feature has been delayed by at least a year. Windows Server 2003 SP1 is expected to go into beta in the first half of next year and be finished in the second half.

Originally Microsoft had talked about including functionality to securely lock down servers by role in the base operating system, which shipped in April. Shortly before the RTM of Windows Server 2003, Microsoft announced that it was packaging the functionality separately for a summer release as a Security Configuration Wizard.

The gold code of Windows Server 2003 has a non-security “Configure Your Server” wizard. Windows Server 2003 also has many more services locked down by default than previous generations of Windows servers did. The Security Configuration Wizard was supposed to run on top of the base Configure Your Server wizard to enable and lock down specific servers based on role. Microsoft had decided in January on several server roles, including file servers, Web servers and directory servers. The company was wrestling with what multi-purpose server roles it would support.

Microsoft officials declined to comment when asked specifically by ENT whether the technology Gates mentioned for SP1 was the Security Configuration Wizard. “Microsoft already provides technology that helps configure your server. This technology was built in Windows Server 2003 and allows you to only turn on what you need. WS03 SP1 will include additional technologies that will make it even easier for administrators to secure their servers,” Microsoft officials said in a statement e-mailed to ENT.

Gates talked about the security lockdown functionality while discussing other security changes coming to Windows Server 2003 and Windows XP in service packs next year. The changes are part of a company initiative code-named “Springboard” that is supposed to improve the security of existing products through service packs.

The other publicly-known, Springboard-related security change coming in Windows Server 2003 SP1 is technology for servers to be able to scan clients as they connect locally or remotely to ensure that they comply with organizational security policies. Microsoft has released a white paper on a similar technology that already exists in Windows Server 2003, and Microsoft had deployed the quarantining technology internally prior to the product’s public release. The service pack presumably aims to make the technology easier to deploy or more robust.

Windows XP will come in line for some security changes in SP2 as well. Among enhancements for SP2 that Gates listed last week were turning on the Internet Connection Firewall by default, changes to Outlook Express and Internet Explorer for safer browsing and e-mail, recompilation of some key modules, a new way of doing code protection and support for hardware features in newer chips that block certain types of exploits.