Guild Companies

It's T-minus-one week and counting down to the launch of Windows Server 2003. Microsoft, not content to wait until the actual launch to start touting the product like crazy, has been putting out technical details and marketing spin for weeks and is now turning up the buzz machine. The company has also announced details on a bunch of products and APIs that will help companies cope with increasing volumes of viruses and spam on Exchange Server e-mail programs.

This week, Microsoft was once again stressing the increased security that Windows Server 2003 offers over Windows 2000 and Windows NT 4.0. Some of the improvements come from Microsoft's Trustworthy Computing initiative, which forced programmers working on the Windows 2003 operating system to use a more stringent set of coding guidelines with security, rather than some other parameter, as the main thing that they were supposed to worry about. This, more than anything else, is what has made the "Whistler" kicker to Windows 2000 almost a year late to market. Microsoft was right to make customers wait, and customers will benefit from the company's increased patience and good sense about coding practices.

But increased security for Whistler goes beyond Trustworthy Computing, says Microsoft. The company evaluated all the components of the operating system and changed a lot of little things, which will add up to a more secure server environment. For example, the company has removed the Universal Plug and Play feature necessary in desktop environments where users do not know how to install drivers as they change hardware; this network device discovery program can be usurped by hackers to roam the network. Microsoft has added public key infrastructure (PKI) encryption services in Whistler to better authenticate users, and has also added support for the Protected Extensible Authentication Protocol (PEAP), which is a lightweight alternative to PKI that is used for wireless devices. Microsoft wanted to remove from Windows 2003 a bunch of features that are in Windows 2000, but customers would have freaked out, so it left them in. Exactly what these features are is unclear, but Microsoft will warn customers that they present a security risk and that they will be removed from future versions of Windows. These features are deactivated by default in Whistler, and if customers want to use them, they will activate them at their own risk.

Microsoft is also saying that the new Common Language Runtime (CLR) at the heart of its .NET initiative allows customers to write more secure code. Microsoft is using a number of different tools to seek out and correct buffer overflows inside the Windows operating system. Buffer overflows allow a hacker to cause a buffer to accept too much data and spill out into other adjacent memory spaces, which causes a program to lock up and can allow a hacker's program to move into memory and take over the Windows machine. (Other operating systems have buffer overflows, too. It's not just a Windows problem.) Microsoft has a so-called PreFix it runs every couple of weeks across the entire Windows code base to sniff out buffer overflows, so it can fix them. Another tool, called PreFast, is a more streamlined version of this tool that Microsoft uses to look for buffer overflows on particular programs.

Windows itself cannot be held accountable for the security of all of the programs that run in that environment, of course. That is why Microsoft will introduce antispam and antivirus features for the future Exchange Server 2003 messaging server. These features are not new products so much as a set of tools and APIs, called the Windows Filter Manager Architecture, which Microsoft is making available to its channel partners, which then integrate their own spam and virus filtering software with Exchange Server. These tools, says Microsoft, will allow filtering software to better integrate with existing Windows and Exchange Server features. The WFMA APIs control access to Windows and its underlying hardware, and filter application developers will write to these APIs rather than writing their own drivers. The benefit of these WFMA APIs is that customers will be able to put many different and concurrent security programs on one Windows environment because Windows, not these programs, has control of access to hardware.

Exchange Server 2003 will also implement the updated Virus Scanning API (VSAPI 2.5) that helps e-mail administrators come up with fewer false positives when they identify spam and viruses in e-mail. VSAPI 2.5 will allow spam and virus filters to remove this unwanted or malicious content from e-mail files before they get to users' mailboxes, which is where they can actually do damage. Exchange Server 2003 will also work with filters in Outlook 2003, and the safe and block lists that users create for their desktop machines can be imported into their Exchange Server account, so when they access their e-mail remotely the same safe and block lists are in effect.

Microsoft will roll out Windows Server 2003 on April 24. Exchange Server 2003 is due sometime in mid-2003.