Microsoft touts Longhorn security

The company says that a better firewall, IPv6 support, better onboard encryption, and network access protection make Windows Server 2008's security a primary selling point

Microsoft is pushing the improved security of its Windows Server 2008 software package as one of the primary reasons why business customers should upgrade to the long-awaited product refresh as quickly as possible.

[ Get the scoop on the entire Windows Server family in our special report ]

In addition to being fully designed under Microsoft's SDLC (security development lifecycle) initiative -- a program already credited with allowing Microsoft to ship its products with far fewer vulnerabilities than previous iterations -- Server 2008 has new features that should help customers address a range of important security issues, according to company officials.

Microsoft representatives claim that beefed-up firewall technology, support for the emerging IPv6 Internet protocol, improved onboard encryption and further integration with its Active Directory registry system, among other additions, represent a significant step forward for the release formerly-known as Longhorn in terms of its overall security standing.

The company has also finally delivered its NAP (network access protection) technology -- Microsoft's flavor of the access control tools identified more widely under the banner of NAC (network access control) -- that many security industry watchers have cited as a potential accelerant for device and user network authentication efforts.

Company officials said that the software maker was specifically set on defending the updated infrastructure technology against malware attacks while boosting ID and access control, adding encryption and document protection features, and enhancing the system's reporting and audit functions to handle compliance-related tasks.

As it has claimed Vista to be the safest OS that it has ever shipped, based on the continued adoption of SDLC and added security functionality, Windows Server 2008 follows suit, said Brendon Lynch, director of privacy strategy at Microsoft.

"With the way that information has become the new currency for crime, it is critical for customers to better protect and govern data; part of this process is about people and process, but technology has to serve a role in supporting all this, and we believe that the enhancements made in Server 2008 do just that," Lynch said.

Along with further hardening the software to prevent attacks that attempt to misuse its services and preventing unnecessary interaction with its kernel to thwart root kits, the new filtering, encryption, and Active Directory features should go a long way toward helping customers reduce their attack surface, company officials said.

With NAP, Windows Server 2008 users gain not only a new method for enforcing endpoint device authentication and anti-virus capabilities, but also the ability to integrate their infrastructure more tightly with third-party NAC products, such as those made by networking vendors like Cisco Systems and security players like Symantec.

While Microsoft has often been criticized for failing to align itself closely with IT industry standards, its work to drive interoperability with the Trusted Computing Group's NAC efforts should prove beneficial to users of existing access control and anti-virus technologies, officials said.

"The great advantage with NAP is interoperability, not only with networking gear, but all the external AV vendors," said Amith Krishnan, senior product manager at Microsoft. "We think that along with existing Microsoft security technologies in Vista and [SharePoint Server] this represents our ability to offer customers end-to-end protection for the first time."

Windows Server 2008 may help speed adoption of NAC
While pointing out that it will likely take time for NAP to become widely adopted by end-users and that the access control technology has yet to prove itself as enterprise-grade, representatives at security market leader Symantec observed that the tool's arrival should prove beneficial for customers, at least in terms of fostering NAC integration.

"I don't think that its the technology that is so interesting, but rather the fact that this is a well thought-out, fairly open architecture that can bring more legitimacy to NAC as a technology," said Rich Langston, senior manager of product management at Symantec. "Its arrival should bring additional comfort to existing adopters of the technology. When we talk to customers about the capabilities of NAC, they tend to have a lot of concerns [about interoperability]. Having NAP built into Vista and Longhorn should solve a lot of objections."

As a result, many customers that have been holding off on using NAC -- thought to be a valuable method for keeping infected devices off of corporate networks -- may decide to adopt the technology now that it is fully supported in Microsoft's newest products, he said.

At least one customer working with a beta version of Windows Server 2008 said that the product does indeed represent a substantial improvement over previous versions in terms of fostering more comprehensive security.

Matt Okuma, enterprise architect at Pacific Coast Companies, a building materials manufacturing specialist with close to 4,000 employees, said that the integrated security features in Windows Server 2008 are appealing from the standpoint of both integration and security budget management.

"People have companies they feel safe with using, and we're comfortable using Microsoft because when you have a product so large and your IT support staff isn't that big, you need a common platform for security, and Microsoft has that now," Okuma said. "For us, just the work needed to integrate third-party security tools for some of these functions would likely lead to us being less secure overall."

From the improvements made to the underlying software code derived via SDLC to the addition of NAP, the customer said that he is encouraged by what Windows Server 2008 can bring to the table in terms of bolstering IT security. "You can only assume that there will be some pain points with getting everything that runs with Server '03 to run with Server '08, but it seems like [Microsoft] has done all the work," he said. "If we can do NAP without buying a third-party product for access control that will be great; I don't want to introduce another piece of software if we can use a common platform."

Industry analysts said that the security improvements resident in Longhorn may not have the same big-bang effect as those that first appeared in Windows Server 2003, including the impact of SDLC, which was used to drum vulnerabilities out if that product, but the experts said that the new release should been seen as an extension of the software maker's commitment to improving the stability of its products.

"They made a huge step forward with Windows Server '03, that was the first product from Microsoft since it started taking security seriously, and Server 2008 is an evolutionary continuation from there, versus anything dramatic," said John Pescatore, analyst with Gartner. "A lot of the improvements here are continuations of the big leap made in Server 2003."

However, the expert said that the arrival of NAP could lead to noticeable growth in the adoption of NAC as companies that have been holding off on embracing the access control tools may finally get off the fence.

"First we have to wait for people to roll out Active Directory on Server 2008, and that will take time, but by 2009 I expect to see enterprises who have been saying they want to do NAC, but were waiting for NAP, to move forward," he said. "This will also force standalone NAC vendors to prove that they offer real value beyond what is being baked into the Windows product line."