Software // Enterprise Applications
News
1/10/2007
03:33 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft: Home Server Sports Serious Security

Windows Home Server will include security features taken from Windows Server 2003, but won't work as a central distributor for patches to PCs on the home network.

Microsoft's upcoming Windows Home Server software will include security features taken from its enterprise-grade Windows Server 2003 software, but will not work as a central distributor for patches to PCs on the home network, a Microsoft executive said Wednesday.

The new server software, which Microsoft will debut in the third quarter inside a Hewlett-Packard box, has bits and pieces from other versions of Windows -- including some from the upcoming Longhorn server -- but "under the hood, it's essentially technology from Windows Server 2003," says Todd Headrick, Microsoft's product planner for Home Server.

Among the security steps Microsoft has taken in the software, adds Headrick, are to turn remote access off by default, open only those ports necessary for remote access when it is enabled, and to work with third-party vendors on potential add-on security.

"We're working with a variety of anti-virus [companies] for them to provide solutions if they want to run it on the server," says Headrick. He did not name the vendors. Like other editions of Windows, Home Server won't come with anti-virus software pre-installed. "Think of this as a new version of Windows if you want," says Headrick.

That also means it will need to be patched against future flaws. Windows Update -- the same service and mechanism used by consumer PCs -- will be set to automatically retrieve and install fixes. And the Home Server software will be added to the list of supported operating systems that Microsoft's security group monitors. "We'll manage vulnerabilities and patches [for Home Server] just like we manage all other vulnerabilities and patches," Headrick says.

"We've set Automatic Updates [to go online] daily at 4 a.m., when the house is sleeping."

One thing that Home Server won't do, however, is grab security updates for the home's PCs for distribution across the home network, a technique commonly used in enterprises to roll out patches for the company's desktops.

"We thought a lot about that and did quite a bit of analysis," Headrick says. "But we decided not to do it. First, the PCs don't stay tethered to the house. Families are buying more laptops, and if we had set Home Server [as the patch manager] a laptop that was out of the house for a month or more would be unprotected. We didn't want to be the bottleneck to those computers getting patched," says Headrick.

"And when we looked at bandwidth [as a reason to push patches from the server], we figured out that the amount of bandwidth taken up by patching just two or three or four PCs is minimal."

The server, however, won't be invulnerable to attack, Headrick acknowledges. Although the hardware will plug into the router -- and so will be protected behind that device's firewall -- an attack on one of the outward-facing PCs could be crafted to also compromise the data repository, a potentially lucrative target for cyber criminals and scammers.

"Yes, it would be possible. People do a lot of stupid things, like opening attachments," Headrick says. "We can't keep them from doing that."

Headrick also promised that the software, which will move into a second round of beta testing before the end of the month, will make security setup and management a snap. Initial setup will be conducted through one or more wizards that pose easy-to-understand questions, Headrick says, while later management of Home Server's security can be done from a PC connected to the network via a Web-based console.

Other security features in the server software are specific to Windows Vista. PCs running Vista will report their security status to the server, which in turn will alert the administrator -- presumably a parent -- that one or more systems need attention. The server, however, won't sport Vista-specific security provisions that Microsoft has touted, including User Account Control, a feature meant to make it more difficult for attackers to plant malicious code without the user's knowledge.

Even so, Headrick is confident that Home Server will stand up to scrutiny and properly protect a home's data investment. "We've learned a lot over the last two years, since Windows Server 2003 [released]."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.