Când am lansat Windows Vista și Office 2007 în decembrie 2006, am amintit că dacă m-ar întreba cineva ”de ce Vista?”, aș răspunde ”securitate”.
Acum, dacă mă întrebați ”de ce Windows Server 2008?”, aș răspunde tot ”securitate”. Bine, bine. Spun și IIS7 (web server modular) și Hyper-V (virtualizare cu hipervizor: un microkernel Windows), fiindcă sunt prea cool.
Revenind la securitate în Windows Server 2008, am să-l citez pe Mike Howard și lista sa de ”security features” preferate:
- The various defenses we see in Windows Vista: stack defenses, heap defenses, ASLR, NX etc etc
- Server Core (ok, technically not a security feature, but a critical way to dramatically reduce a server’s attack surface)
- Network Access Protection (NAP)
- Server and Domain Isolation
- Read-Only Domain Controllers
- Suite-B crypto support
Câteva resurse importante de secu pentru Windows Server 2008:
- Windows Server 2008 Security Guide
- Windows Server 2008 Security Resource Kit (autorul e Jesper Johansson, care deși nu mai e în Microsoft, ține aproape).
Iar fiindcă Windows Server 2008 a trecut și el prin procesul de dezvoltare SDL (Security Development Lifecycle), am să închei cu o povestioară a lui Mike despre SDL și inițiativa lui Bill, Trustworthy Computing:
A few years ago I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft they were off to visit another operating system vendor. I won’t name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, „What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft’ in the reply.” Two weeks later, the guy phoned me and said his company would buy Microsoft products and nothing from the other company. I asked him why. He said because all they could do was make up excuses rather than admit to having numerous critical security vulnerabilities and no process to reduce their ingress.