Additional security features
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Additional security features
This topic contains a brief overview of the additional security features in the Windows Server 2003 family. It is divided into three sections: New and updated features since Windows Server 2003 (without SP1), New and updated features since Windows NT 4.0, and New and updated features since Windows 2000.
For information about authentication and smart card support features, see Authentication and smart card support. For more information about new security features, see New features in security. For links to more information about the features in this release, see New Features.
The Windows Server 2003 family includes a variety of features for the creation of a strong, flexible security system, including file encryption and the security features that are built into Active Directory. For information about the kinds of authentication that are available, see Authentication and smart card support.
New and updated features since Windows Server 2003 (without SP1)
Windows Server 2003 operating systems with Service Pack 1 (SP1) offer the following improvements (compared to Windows Server 2003 without SP1) that help provide increased levels of support for security:
- Security Configuration Wizard
- The Security Configuration Wizard reduces the attack surface of computers that are running Windows Server 2003 with SP1. The wizard asks the user a series of questions designed to determine the functional requirements of the server. Any functionality that is not required by the roles being performed by the server is then disabled. In addition to being a fundamental security best practice, reducing the attack surface increases the diversity of your Windows landscape, and reduces the number of systems that need to be immediately updated if a security issue arises. For more information, see Windows Server TechCenter.
- Windows Firewall
- Windows Firewall is a host firewall technology. As a host firewall, Windows Firewall runs on each of your clients and servers. It provides protection from network attacks that pass through your perimeter network or originate inside your organization, such as Trojan horse attacks, port scanning attacks, and worms. Like many firewall technologies, Windows Firewall is a stateful firewall. As such, Windows Firewall inspects and filters all Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) traffic. Unsolicited incoming traffic is dropped unless it is a response to a request by the host (solicited traffic), or it is specifically allowed (excepted traffic). You can specify excepted traffic according to port number, application name, or service name by configuring Windows Firewall settings. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall allows all outgoing traffic. Windows Firewall is not included in the original release of the Windows Server 2003 operating systems. For more information, see Windows Server TechCenter.
- Digital Identity Management Service (DIMS) and Credential Roaming
- DIMS and credential roaming make it possible for users who log onto any domain-joined computer running Windows Server 2003 with SP1 to seamlessly and silently have all of their certificates and private keys available for applications and services. Administrators can use Group Policy to enable credential roaming, thereby automatically synchronizing and replicating user certificates and private keys with the Active Directory user object. For more information, see Windows Server TechCenter.
- Windows Server 2003 Privacy Information
- Windows Server 2003 with SP1 includes Group Policy settings that were not available in the original release of Windows Server 2003. You can find new settings designed to help protect your privacy in Group Policy under a key called Internet Communication Management. The settings under the Internet Communication Management key are designed to help you control the way Windows components communicate with the Internet. One of the settings new to Windows Server 2003 with SP1 is Restrict Internet communication, which you can use to control multiple privacy-related settings simultaneously. For more information about privacy, see Using Windows Server 2003 in a Managed Environment at the Microsoft TechNet Web site.
- Enabling Authentication for Terminal Services connections
- With Windows Server 2003 with SP1, you can configure Terminal Services connections to use Transport Layer Security (TLS) for server authentication and encryption. TLS is often referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS). By default, TLS is not enabled when SP1 is installed. For more information, see Terminal Services Security at the Microsoft Web site.
New and updated features since Windows NT 4.0
The Windows Server 2003 family offers the following improvements (in comparison to Windows NT 4.0) that help provide increased levels of support for security:
- Encrypting File System
- Encrypting File System (EFS) complements other access controls and provides an added level of protection for your data. EFS runs as an integrated system service, making it easy for you to manage, difficult to attack, and transparent to the user. For more information, see Encrypting File System.
- Internet Protocol security
- You can use Internet Protocol security (IPSec) to secure communications within an intranet and to create secure virtual private network (VPN) solutions across the Internet. IPSec was designed by the Internet Engineering Task Force (IETF), and it is an industry standard for encrypting TCP/IP traffic. For more information, see Internet Protocol Security (IPSec).
New and updated features since Windows 2000
The Windows Server 2003 family offers the following improvements (in comparison to Windows 2000) that help provide increased levels of support for security:
- TCP/UDP port ownership
- A new netstat command option displays the process that owns the Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port. You can use this feature to configure secure servers, security audits, and performance improvements.
- Encrypting File System improvements
- Encrypting File System (EFS) has been improved in several ways. Stronger encryption algorithms are available with larger keys. Multiple users can be authorized to share encrypted files. Offline files can be encrypted through EFS, so that you can protect locally cached documents. For more information, see Encrypting File System.
- Software restriction policies
- With software restriction policies, you can protect your computer environment from untrusted code by identifying and specifying which applications are allowed to run. For more information, see Software Restriction Policies.
- Internet Protocol security monitoring improvements
- Internet Protocol security (IPSec) monitoring improvements include a Microsoft Management Console (MMC) snap-in that provides detailed information about IPSec policy configuration and active security states. This feature replaces the Ipsecmon.exe monitor program in Windows 2000. For more information, see Internet Protocol Security (IPSec).