The struggle between the Linux and open source community and Microsoft to claim security dominance has been debated...
hotly in the last five years. Each side has raged around their competitor's number and nature of vulnerabilities, practicing some shameful, but unsurprising, abuse of statistics. Heated words have been exchanged about default posture and installation and the relative merits of a variety of security features, tools and controls.
With Windows Server 2008 scheduled for release in February 2008, many want to know if enhancements to the server platform will change opinions on Windows security capabilities. While Windows Server 2008 adds some improvements to its security features, the Linux server will remain the more secure platform.
The Windows Server 2008 release implements many of the features introduced in Vista in much the same way Windows 2003 implemented features from Windows XP. In the security space, Microsoft has delivered new functionality, such as:
- New and enhanced identity and access controls
- Disk encryption
- Read-only Domain Controllers
- Network Access controls
- and a number of hardening enhancements
Some of these new features resemble features available on Linux platforms, such as enhancements in the areas of identity management and access control. One of the perceived strengths of Windows is in Active Directory and its ability to provide single or near single sign-on to many different Microsoft applications. Providing a framework for full federated identity is another enhancement of Server 2008, which aims to extend this integration to other platforms. Clearly, this demonstrates an acceptance of interoperability and working in mixed environments.
Many see unified identity management as one of the weaknesses of the Linux platform. A variety of commercial and open source solutions include tools like NIS (Network Information Service) and LDAP (Lightweight Directory Access Protocol) Products from Sun, Oracle and Tivoli are available but are not always integrated. This new unified identity management functionality from Windows comes as the Samba team has indicated that support for running your own Samba Domain Controller is nearly production ready. With the latest migration tools, existing Windows Server 2003 Domain Controllers could be replaced with Linux servers running Samba 4. The new Samba functionality, combined with the recent agreement between the Protocol Freedom Information Foundation and Microsoft, will mean Linux platforms are well poised to take more of the market share away from Microsoft.
One of the other interesting new features in Server 2008 is Network Access Protection, or NAP. NAP allows an administrator to control the network access of a host based on the health of that host. For example, if anti-virus is not installed on the host, then a DHCP address will not be issued and the host can be dropped into a quarantined network. This functionality, known as Network Access Control (NAC), is powerful in enterprise environments to assist in enforcing standards and server operating environments.
While new to Windows Server, NAC is not so new in the open source world. There are several open source alternatives for NAC, most notably packetfence, which comes in a GUI-based appliance model, and FreeNAC. Both products provide similar, if not more expansive, functionality than Microsoft's NAP technology.
Server 2008 also contains firewall enhancements introduced in Vista, making the firewall more flexible and capable of being tailored. Of course, compared to the more powerful open source equivalents like iptables and ipf, it is still an adjunct. But the enhancement indicates that Microsoft has taken onboard the defence-in-depth model, rather than relying on external firewalls to protect server hosts.
The security-related changes in Windows Server 2008 also suggest that Microsoft has acknowledged weaknesses in the platform. How effective these enhancements are in improving the overall security of the platform remains to be seen, as does the uptake of Microsoft's latest offering. Vista has had limited success, particularly in the corporate world, with many enterprises having delayed desktop rollouts in favor of retaining Windows XP. Customers may also choose to stay with their existing Windows Server 2003 fleets rather than immediately migrate to the new platform.
It is certainly possible that the release of Windows Server 2008 will be much like that of Vista last year, creating a lot of marketing noise, but creating little excitement among customers. And like the Vista release, Microsoft Windows 2008 is unlikely to make a significant change in the security landscape.
About the author: James Turnbull is the author of Pro Nagios 2.0. and Hardening Linux. A security architect for the National Australia Bank, James is the resident security expert for SearchEnterpriseLinux.com. Recently, James discussed the risk of viruses and malware to Linux systems