How Windows Server 2008 R2 stands up to security checks

With every new Windows operating system release comes curious anticipation as to just how secure the system is out-of-the-box. I usually like to do a fresh installation of these new releases to see how they withstand the abuse of some good security scanners.

So where does Windows Server 2008 R2 stand, and does it match up to my recent positive security findings of Windows 7? Well, here's what I discovered on a full install of Windows Server 2008 R2 Enterprise Edition.

The first thing I noticed was that I wasn't forced to enter a password for my initial administrator-level user account. Ironically, when I tried setting one later I received the following message:

I guess no password is better than a simple password.

I also found that the Windows Firewall is enabled by default, but network discovery and file sharing are turned off. This is good for security, but not so much for functionality.

Stepping through the Security Configuration Wizard, I found some interesting stuff. The first thing that caught my eye is the wizard's welcome window. As you can see in the figure below, it is recommended that all applications that use inbound ports are running.

Figure 1 (Click to enlarge)
[IMAGE]

I can see this being problematic, especially since many people will likely want to secure the system right after installation. But what about all the applications that are added tomorrow and down the road? Perhaps a re-run of the Security Configuration Wizard is in store, but I just don't see that happening unless it's part of some detailed change management procedures.

Another thing that stood out is how the Security Configuration Wizard walks you through audit policy settings. This is a big plus. I also notic...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows Server 2008 R2 Administration Active Directory in Windows 2008 R2 Wait for Exchange 2007 support on R2 stretches on Small changes go a long way with IIS 7.5 Microsoft shines a light on efficiency in Windows Server 2008 R2 BitLocker in R2 provides data protection for semi-protected servers Windows Server 2008 R2 gives managers plenty to think about The Windows Report -- Gearing up for Windows 7 and Windows 2008 R2 Active Directory tops the list of hot Windows Server 2008 R2 features Windows AppLocker in R2: Turning conventional security wisdom on its head Top 10 things you don't know about Windows Server 2008 R2 Windows Server Security BitLocker in R2 provides data protection for semi-protected servers Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Windows Server Security Guide Free Windows security tools every admin must have Common causes of Windows server security vulnerabilities Top Windows server hardening standards and guidelines Windows server hardening: How much is enough? Overlooked security in Windows Server 2008 Easing security concerns with Server Core for Windows 2008 Windows Server Monitoring and Management BitLocker in R2 provides data protection for semi-protected servers Perfmon made easy with PAL utility Converting Citrix XenServer source machines to Hyper-V format Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Top 10 things you don't know about Windows Server 2008 R2 BranchCache makes branch offices feel like home When to use VM backups versus snapshots in Hyper-V Installing Server Core for Windows 2008 the easy way Migrating virtual machines from Microsoft Virtual Server to Hyper-V

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ed that lots of things are disabled from the get-go. The following figure is an example of just how pared down Windows Server 2008 R2 is out-of-the-box.

Figure 2 (Click to enlarge)
[IMAGE]

It appears that Microsoft is going to (by golly) have a secure OS from the start. Arguably, this is an approach the company should've had back in the days of Windows NT (though being a security consultant, I'm not complaining).

I suspect many people will be confused -- if not overwhelmed -- with these server configuration options to the point that they'll just enable everything, or enable things without fully understanding the consequences. While this could totally negate many of the wizard's benefits, I'll choose to remain optimistic (for now).

So how does all of this stand up to security scans? Quite nicely, actually. I'm not surprised, either. After all, you can disable most functionality of any operating system and it's going to check out sound and secure.

I used QualysGuard for an unauthenticated scan before I enabled public network discovery and applied default server role/policy settings. The only thing it uncovered was basic NetBIOS name information. Big deal, right? An authenticated test using GFI LANguard 9.0 had a similar outcome, as there was nothing major that jumped out.

I intended to share specific, detailed findings and screenshots, but they're just not there. I plan to dig in much deeper after tweaking the network and services settings to look at Windows Server 2008 R2 from lots of other angles and user roles. I look forward to doing that in real-world scenarios and writing about it in the future.

Getting back to reality though, don't let these findings create a false sense of security surrounding Windows Server 2008 R2. My basic installation had no tweaks or third-party software and minimal human intervention – things known to create vulnerabilities in an otherwise secure system. In addition, there's been minimal time for vulnerability discovery and subsequent exploit code development with this new version of Windows.

As with most things in security, time will tell the real story. For now, Windows Server 2008 R2 is very stout out-of-the-box. Your mission is to keep it that way.

[IMAGE]Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.