I'd agree with you when you say that Microsoft have done a huge amount with security over the last couple of years, including making other peoples products developed using Microsoft technologies far more secure (ASP.NET has a much improved level of security over classic ASP as I can testify from many penetration tests)

However I do think that the area that Microsoft are letting themselves down on is modularity of software.

You mention Media Player being installed and hard to remove and that is a classic example, and I must say I think that is the core issue, locking it down after the fact should be unnessecary as it shouldn't be installed by default.

However I'd go further than that. Why do many servers need an Internet Browser installed, or indeed a GUI. In terms of attack surface, quantity of code installed has to be considered, as if it's installed, it may be possible to execute it.

On other area that I hope that Microsoft improve on is modularity of network services, for example on a web or application server, should you need a service listening on port 445? Yes you can firewall it but that's patching after the fact.

My opinion is that if Microsoft can improve in these areas they would be addressing probably their last main area of security weakness (as you mentioned they've done a lot to address their other one, legacy code)

Very valid points. Realistically, I belive MS has done more in the past 2-3 year than the rest of the industry put together (of course due to the fact that they are the majority of OS).
It is easy for companies like nCircle to have the "MS hating is my motto" approach, but realistically I haven't seen anything good come out of vendors like nCircle (they included as I recently evaluated one of their products to 'plug' the Security holes that MS created!).

Rory,

I agree it would be nice to have Windows Server without a UI. Unfortunately, not many "Windows admins" are console people to really benefit from the removal of the shell. On top of that, it is so inter-woven into the fabric of the OS, I don't believe it would be easy to remove at all.

That leaves us with reducing the attack surface by removing executable code that doesn't need to run. Or at the very least, reducing the opportunity to run through restriction policies. Unfortunately, if an administrator really wants to run something, they would be able to make changes to the policy and make it work. This is why education is important and key to ensuring the server stays secure.

I do like what Microsoft did in Windows Server 2003 to slow down surfing. The tightened the security zones to make it more difficult to just go out and surf. In Longhorn server, LRIE (Low Rights IE) will take effect and reduce the security context of IE to equivilent of something like 'guest'. This will thwart a lot of the problems that exist now.

All in due time. Thanks for the great comments.

Vasu,

Yep. It's extremely easy to target Microsoft when you work at a security company. Funny enough, many have profited highly from this. And most don't want to accept that in the future, they may have to update their products signficantly to take advantage of the offerings the newer operating systems will provide.

What good is vulnerability assessment services if the hosts attack surface is drastically reduced, the software stays patched, and free from vulnerabilities? We all become safer, but these appliances report very little. :)

I don't think its fair to beat on nCircle though. Although I haven't used their products, any company willing to stick their neck out and build tools to help find and remediate network threats is good in my books. Well, except when employees inappropriately drive FUD into the process. You know, like posting that Microsoft security initatives are a joke. :)

If Microsoft hadn't "really had a chance to apply security to their software development lifecycle" until 4-5 years ago, why would I consider using such an immature product for a mission-critical server? When with a product like Solaris or another of the BSDs I have a comprehensible permissions model, comprehensive control over my ports, and the freedom to replace or remove components at will?

I'm not sure if you are trolling or not here David. I will assume not, as most people who post here have the professional courtesy to offer objective opinions and counterpoints to allow for critical reflection.

I can't answer your question for you. Only you can determine which tools and technologies meets your needs. In our offices, we have a mixture of Linux and BSD systems driven by a Windows AD setup. Our client machines are almost exclusively Windows based and this setup works for our needs. Yours may be entirely different.

But to be clear, secure software != security software. Microft has a comprehensible permission model and control structure just as Solaris and BSD do. They are applied differently of course, but it does exists. Hence why Windows Server 2003 was able to get the same Common Criteria Standards credentials that various Unix operating systems have had.

What Microsoft hasn't done very well in the past was design secure software, in which it was more resilient to network attack. This has changed. Does it make it "immature"? Not really. Over the years there have been many vulnerabilities discovered in Solaris due to same insecure programming practices. Secure coding is not a Microsoft problem. It is a developer problem across the entire spectrum of software out there.

If anything, the Microsoft server platform is maturing. It has one benefit many other operating systems don't seem to have. It is CONSISTANTLY and CONSTANTLY being hammered on by attackers because of the nature of the availability of the platform. That is not to say Solaris doesn't have any market penetration, but lets be real. Attackers are lazy and will go where they can benefit the most. And that will be the plethora of Windows systems out there.

This may seem like a drawback to most people, but I think its an asset. The more it gets beat on and successfully attacked, the better it gets as Microsoft learns from it. Proof is in the pudding. Look at the number of vulnerabilities in Windows Server 2003 against Windows Server 2000 or even Red Hat Enterprise Edition.

Of course, if you are not comfortable with the platform, and you find that Solaris meets your business objectives, then by all means use it. I am all about using the right tool for the job.

And my needs are apparently much different than yours.

Not trolling - I was just amused to see your suggestion that MS began to "apply security to their software development lifecycle" *after* their current server product was released, and wondered how that would sound to someone trying to do due diligence on a new server OS.

My comment on the comprehensibility of the MS permissions model was prompted by your January 31 reference to the Princeton paper that contrasted the 3-4 privileges (read-modify-execute and sometimes suid) x 3 objects (file/directory/device) UNIX model to the 15 privileges x 30 objects in Windows. I'm getting pretty old, and can handle 9 or 12 relationships a lot better than 450!

I don't often comment anywhere and don't mean to cause trouble, but I have to admit that it seems surreal to read complaints about not being able to remove unwanted features or close unneeded ports in a server OS.