Windows Server 2008 has been shipped and Security Guide for this server is here. In guide, Microsoft stated:
Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it:
- Proven. Based on field experience.
- Authoritative. Offers the best advice available.
- Accurate. Technically validated and tested.
- Actionable. Provides the steps to success.
- Relevant. Addresses real-world security concerns.
Michael Howard, one of main Microsoft’s persons behind SDL (Security Development Lifecycle) says:
Windows Server 2008 is the first Windows Server to go through the full SDL process, making it the most secure version of Windows Server to date. We raised the security bar in Windows Vista, and we REALLY raised the bar in Windows Server 2008.
Windows Server 2008 is a prime product example of our ongoing commitment to Trustworthy Computing, and how the company is making good on its commitment to continue to build the most secure computing environment possible. After the Trustworthy Computing commitment was made a few years ago, we’ve has made great strides in the right direction, and last week’s product launch (Windows Server 2008, SQL Server 2008, and Visual Studio 2008) clearly shows that security remains a top priority.
While I tend to focus on “Secure Features” Windows Server 2008 is full of “Security Features.” Someone asked me for my favorite security features. In no particular order, they are:
- The various defenses we see in Windows Vista: stack defenses, heap defenses, ASLR, NX etc etc
- Server Core (ok, technically not a security feature, but a critical way to dramatically reduce a server’s attack surface)
- Network Access Protection (NAP)
- Server and Domain Isolation
- Read-Only Domain Controllers
- Suite-B crypto support
Let’s wait and see how it works in real environments.