If you missed the first part in this series, click here to read "Changes to Default Settings Make Windows Server 2003 More Secure (Part 1).
A few weeks ago, in Part 1 of this two-part article, we discussed how today’s high risk computing environment, rife with viruses, worms and potential intruders and attackers, means today’s operating systems must take a different approach to security from those of the past. It is more important than ever that higher security be part of the default configuration. Consequently, Microsoft has made a number of changes to the default settings in Windows 2003 to make it more secure “out of the box.”
We already looked at some of those changes, including differences in default permissions (both share and NTFS), changes to the membership of the Everyone group, and changes to ownership of objects. In Part 2, we’ll examine the changes that have been made to the default settings for common services and changes in the authentication process, and we’ll discuss some areas in which some believe that Server 2003’s defaults are still too open.
Default Settings for Common Services
Another change in Windows Server 2003 is that a smaller number of services now run under the local system’s account. Almost all services used this account in Windows 2000. Programs that run in this context have unlimited privileges on the local computer, which presents an obvious security risk. Instead of using the local system account, some common services now use the local service or network service account. These accounts have much a lower level of privileges than the local system account.
There are still many services that do log on as the local system (for example, the Automatic Updates service, the computer browser service and the DHCP client, along with many others, still use the local system account). However, several others do not. For example, the Alerter service, which used the local system account in Windows 2000, uses the local service account in Server 2003, and the DNS, which used the local system account in Windows 2000, uses the network service account in Server 2003. This provides for better security.
Changes in the Authentication Process
The authentication process has been improved for better security, both when logging onto the local computer and when logging onto a domain. One important change for local computer authentication is the inability to use blank passwords when accessing the system remotely (note, however, that blank passwords can still be used at the console).
Cross-forest trusts are a new feature for Active Directory domain authentication. A forest trust uses Kerberos v5 or NTLM, routing the authentication requests across forests. Administrators can control the scope of authentication between two forests that have a trust relationship, using selective authentication. When the selective authentication option is in use, you can manually set permissions on the domains and resources to which you want to grant access to users in the other forest.
Changes to IIS
Some of the most dramatic changes are to the default settings in IIS 6.0. The web server now is not installed by default when you install Server 2003 Standard, Enterprise and Datacenter editions (it is installed in Web Server edition, for obvious reasons). This helps to eliminate the all too common occurrence in which administrators are inadvertently running rogue web servers on the network.
If you do install IIS 6.0, by default it is in a “locked down” mode in which dynamic content components such as ASP, WebDAV and FrontPage extensions are disabled. IIS 6.0 also includes new authentication method and URL authorization for greater security. For more information about IIS 6.0’s new security features, see my article titled What’s New in Windows 2003 Server: IIS Security Enhancements at http://www.windowsecurity.com/articles/IIS_Security_Enhancements.html.