Win2003
To see exactly what Microsoft has done to improve security, we tested an advance version (release candidate 2) of Win2003. We looked at its basic feature sets, architecture, security functions and the security of subsystems....
What we found is Microsoft has definitely raised the bar, but by how much remains open to interpretation.
Win2003 has addressed "secure by default," in part. It has many more services disabled by default, including the most dangerous--World Wide Web Publishing Service, which makes the system into a Web server and exposes it to frequently discovered HTTP-related exploits. Win2003 has more security controls activated, but still leaves password policy, lockout policy and auditing either disabled or relaxed....
Win2003 provides a new feature called Software Restriction Policies (SRP) to address the risks associated with unknown and untrusted software, such as unlicensed applications or hacker tools. It also includes software inadvertently executed by users browsing compromised Web sites, or introduced via e-mails and worms....
With SRP, admins can lock down exactly what software is allowed to run, using restrictions based on hashes, path names, digital signatures and Internet Explorer's security zones. Although highly valuable, SRP requires significant setup and testing to implement.
New security features are great, but they don't make an operating system more secure. To assess Win2003's security, we looked at it from the perspective of Microsoft's "3-D" mantra--"secure by design, secure by default and secure in deployment."...
Secure by design. Win2003's security design is consistent with a secure kernel-based operating system. That's no surprise, since Windows always has been based on a secure OS model, sharing many of the same qualities as Unix.
Exploits of Windows systems over the years are more a result of fundamental flaws in Microsoft's development process than in the OS's architecture. Most Windows vulnerabilities are careless coding errors, such as forgetting to check a call process' authority before performing a high-risk operation. Coding against buffer overflows and obtuse things like double UTF-8 encoded strings requires extra coding and prioritizing security over functionality--something Microsoft has been reluctant to do until recently.
One area where Win2003's security is lacking is in Internet Explorer (IE). Web browsing (and other activities, such as reading HTML-formatted e-mails which use IE to render the HTML) is inherently dangerous, since it executes code from an untrusted source within a trusted network and under the authority of the user doing the browsing. An IE vulnerability is ultimately a Windows vulnerability, because tricking IE into running arbitrary code allows attackers to access any information or perform any operation that an authorized user can. IE needs some analog to the time-honored concept of the kernel/user mode boundary in classic OSes that keeps application code from breaking out of its controlled environment.
Despite the rhetoric, Microsoft hasn't completely abandoned usability in favor of security, but it's much closer to where it should be. Most of the new features don't do much to prevent the exploits that have plagued the Windows OS family over the years. That said, the new Software Restriction Policies stands out as something that could reduce the viability of many exploits by preventing the execution of unauthorized code. Otherwise, most of Microsoft's efforts to make Win2003 more resilient to exploits are changes to default configuration and aids to deploying Win2003 securely.
Good article, worth the read.