How Windows Server 2008 R2 stands up to security checks

With every new Windows operating system release comes curious anticipation as to just how secure the system is out-of-the-box. I usually like to do a fresh installation of these new releases to see how they withstand the abuse of some good security scanners.

So where does Windows Server 2008 R2 stand, and does it match up to my recent

Requires Free Membership to View

positive security findings of Windows 7? Well, here's what I discovered on a full install of Windows Server 2008 R2 Enterprise Edition.

The first thing I noticed was that I wasn't forced to enter a password for my initial administrator-level user account. Ironically, when I tried setting one later I received the following message:

"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

I guess no password is better than a simple password.

I also found that the Windows Firewall is enabled by default, but network discovery and file sharing are turned off. This is good for security, but not so much for functionality.

Stepping through the Security Configuration Wizard, I found some interesting stuff. The first thing that caught my eye is the wizard's welcome window. As you can see in the figure below, it is recommended that all applications that use inbound ports are running.

Figure 1 (Click to enlarge)

I can see this being problematic, especially since many people will likely want to secure the system right after installation. But what about all the applications that are added tomorrow and down the road? Perhaps a re-run of the Security Configuration Wizard is in store, but I just don't see that happening unless it's part of some detailed change management procedures.

Another thing that stood out is how the Security Configuration Wizard walks you through audit policy settings. This is a big plus. I also noticed that lots of things are disabled from the get-go. The following figure is an example of just how pared down Windows Server 2008 R2 is out-of-the-box.

Figure 2 (Click to enlarge)

It appears that Microsoft is going to (by golly) have a secure OS from the start. Arguably, this is an approach the company should've had back in the days of Windows NT (though being a security consultant, I'm not complaining).

I suspect many people will be confused -- if not overwhelmed -- with these server configuration options to the point that they'll just enable everything, or enable things without fully understanding the consequences. While this could totally negate many of the wizard's benefits, I'll choose to remain optimistic (for now).

So how does all of this stand up to security scans? Quite nicely, actually. I'm not surprised, either. After all, you can disable most functionality of any operating system and it's going to check out sound and secure.

I used QualysGuard for an unauthenticated scan before I enabled public network discovery and applied default server role/policy settings. The only thing it uncovered was basic NetBIOS name information. Big deal, right? An authenticated test using GFI LANguard 9.0 had a similar outcome, as there was nothing major that jumped out.

I intended to share specific, detailed findings and screenshots, but they're just not there. I plan to dig in much deeper after tweaking the network and services settings to look at Windows Server 2008 R2 from lots of other angles and user roles. I look forward to doing that in real-world scenarios and writing about it in the future.

Getting back to reality though, don't let these findings create a false sense of security surrounding Windows Server 2008 R2. My basic installation had no tweaks or third-party software and minimal human intervention – things known to create vulnerabilities in an otherwise secure system. In addition, there's been minimal time for vulnerability discovery and subsequent exploit code development with this new version of Windows.

As with most things in security, time will tell the real story. For now, Windows Server 2008 R2 is very stout out-of-the-box. Your mission is to keep it that way.

Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at  kbeaver@principlelogic.com.

This was first published in November 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.