Tip

Longhorn Server security enhancements are long-awaited

Microsoft presented security enhancements to be included in Longhorn Server at the company's recent TechEd conference in Orlando, Fla. And many of the features mentioned had people in the audience saying, "It's about time."

If all the enhancements actually make it into the final build, Longhorn should be the most secure Microsoft operating system ever. Keep in mind, though, that anything can change between now and when Longhorn is released, which is expected to be sometime in 2006. Please also note that there are dozens of security enhancements I could discuss. Here, I only focus on the more significant improvements.

Longhorn securely coded

One thing that will set Longhorn apart from Windows XP and Windows Server 2003 is that security was the primary design consideration, not an afterthought. Microsoft actually retrained its development staff on how to write secure code. The developers went on to create a threat model for each piece of code and have been performing extensive security testing against them. In case you are wondering, having the developers write secure code doesn't mean the operating system will be completely secure. What it does mean is that we probably won't have to worry about things like buffer overflow exploits against Longhorn.

    Requires Free Membership to View

One thing that will set Longhorn apart from Windows XP and Windows Server 2003 is that security was the primary design consideration, not an afterthought.
Brien Posey
contributorTechTarget

Code integrity checking added

Longhorn also provides many new security features. One long-awaited feature is code integrity checking: Each of the operating system's files is digitally signed, and the operating system knows exactly how many bytes each file should be. If the feature works as planned, you won't have to worry about viruses or hackers replacing operating system files with malicious files of the same name. The operating system will be smart enough to detect such changes and prevent them.

Encrypting File System (EFS) improved

Another great security enhancement will be the way that the Encrypting File System (EFS) works. As you may know, EFS has been around since Windows 2000, but it has some shortcomings. For instance, you can't encrypt the volume that contains the operating system. That renders EFS useless for workstations that only have a single volume. As another example, if you lose the encryption key, your data could be gone forever (assuming that no key-recovery agent is available).

Longhorn will be the first Windows operating system that allows you to encrypt the volume that contains the operating system. The only catch is that doing so requires a Trusted Platform Module (TPM) hard drive. TPM-enabled hard drives aren't available for consumer-grade machines yet, but with Dell Inc., Hewlett-Packard Co., IBM and Toshiba Inc. already producing TPM hard drives for servers, I suspect they will be readily available before Longhorn hits the store shelves.

But what about those pesky EFS encryption keys? Longhorn will allow you to export your EFS keys to a smart card. This means that if your hard drive has a problem, you won't risk losing your EFS keys (and the ability to decrypt your data).

As you can see, Longhorn is going to offer some huge security improvements over Windows XP and Windows Server 2003. Best of all, these improvements are just the tip of the iceberg.

About the author: Brien M. Posey is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.


Reader Feedback

Vladimir K. writes:
Your statement that EFS "can't encrypt the volume that contains the operating system" is incorrect; EFS in Longhorn will. First, EFS never encrypted *any* disks, system or not. It did not even encrypt folders -- it works at the *file* level. Second, TPM had been introduced by TCPA in 1999 and not related to EFS at all.

Author's Response

Perhaps I should have phrased that differently. EFS does work at the file level. EFS has some limitations in that it can't encrypt system files. In Longhorn, however, you will be able to encrypt entire volumes including those that contain the operating system.


More information from SearchWindowsSecurity.com

  • Article: Read about Longhorn's lengthy security wish list
  • Book Excerpt: Find out why and how to disable EFS
  • ITKnowledge Exchange: Is Windows security an afterthought? Find out what readers have to say.


  • This was first published in June 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.