With every new Windows operating system release comes curious anticipation as to just how secure the system is out-of-the-box. I usually like to do a fresh installation of these new releases to see how they withstand the abuse of some good security scanners.
So where does Windows Server 2008 R2 stand, and does it match up to my recent positive security findings of Windows 7? Well, here's what I discovered on a full install of Windows Server 2008 R2 Enterprise Edition.
The first thing I noticed was that I wasn't forced to enter a password for my initial administrator-level user account. Ironically, when I tried setting one later I received the following message:
"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
I guess no password is better than a simple password.
I also found that the Windows Firewall is enabled by default, but network discovery and file sharing are turned off. This is good for security, but not so much for functionality.
Stepping through the Security Configuration Wizard, I found some interesting stuff. The first thing that caught my eye is the wizard's welcome window. As you can see in the figure below, it is recommended that all applications that use inbound ports are running.
I can see this being problematic, especially since many people will likely want to secure the system right after installation. But what about all the applications that are added tomorrow and down the road? Perhaps a re-run of the Security Configuration Wizard is in store, but I just don't see that happening unless it's part of some detailed change management procedures.
Another thing that stood out is how the Security Configuration Wizard walks you through audit policy settings. This is a big plus. I also noticed that lots of things are disabled from the get-go. The following figure is an example of just how pared down Windows Server 2008 R2 is out-of-the-box.
It appears that Microsoft is going to (by golly) have a secure OS from the start. Arguably, this is an approach the company should've had back in the days of Windows NT (though being a security consultant, I'm not complaining).
I suspect many people will be confused -- if not overwhelmed -- with these server configuration options to the point that they'll just enable everything, or enable things without fully understanding the consequences. While this could totally negate many of the wizard's benefits, I'll choose to remain optimistic (for now).
So how does all of this stand up to security scans? Quite nicely, actually. I'm not surprised, either. After all, you can disable most functionality of any operating system and it's going to check out sound and secure.
I used QualysGuard for an unauthenticated scan before I enabled public network discovery and applied default server role/policy settings. The only thing it uncovered was basic NetBIOS name information. Big deal, right? An authenticated test using GFI LANguard 9.0 had a similar outcome, as there was nothing major that jumped out.
I intended to share specific, detailed findings and screenshots, but they're just not there. I plan to dig in much deeper after tweaking the network and services settings to look at Windows Server 2008 R2 from lots of other angles and user roles. I look forward to doing that in real-world scenarios and writing about it in the future.
Getting back to reality though, don't let these findings create a false sense of security surrounding Windows Server 2008 R2. My basic installation had no tweaks or third-party software and minimal human intervention – things known to create vulnerabilities in an otherwise secure system. In addition, there's been minimal time for vulnerability discovery and subsequent exploit code development with this new version of Windows.
As with most things in security, time will tell the real story. For now, Windows Server 2008 R2 is very stout out-of-the-box. Your mission is to keep it that way.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.