What does Microsoft think will drive deployment of Windows Server 2003? InformationWeek posed a few questions, via E-mail, to Bill Veghte, corporate VP of Microsoft's Windows Server Division. Here are his answers.

InformationWeek: What's the most significant change in Windows Server 2003, compared with Microsoft's previous server operating systems?

Veghte: The biggest change for Windows Server 2003 is that it is unquestionably the most customer-focused Windows Server release yet. What do I mean by that? The reality of today's IT environment is the demand to do more with technology, and, at the same time, do it with less cost. So, we spent time with customers who are using Windows 2000 Server and Windows NT Server 4.0 to really understand what it would take to: 1) Enable them do a lot more with Windows Server 2003, and 2) Enable them to do it faster, with lower costs, and with less hassle. We focused a lot of engineering investments in improvements that make Windows Server 2003 faster and easier to deploy, manage, and use. We integrated functionality across the product to make it simpler and more efficient to do things like build new applications, secure networks, and manage system resources. And, across key workloads such as database, web, file sharing, and directory-Windows Server 2003 is up to twice as fast on the same hardware. All of these improvements will enable customers to get a lot more value out their IT investments with Windows Server 2003.

InformationWeek: In general, how and to what extent does Windows Server 2003 advance Microsoft's year-old Trustworthy Computing initiative

Veghte: Windows Server 2003 has been the first major beneficiary of Microsoft's Trustworthy Computing initiative, which is focused on improving the customer experience by increasing the security, reliability, and privacy of Microsoft products. From a security perspective, we invested substantial resources to train 8,500 developers, testers, and program managers on secure coding practices, and have instituted a new policy, which we call SD3+C to govern our efforts to increase the security of our products. This includes incorporating security audits, code reviews, threat modeling practices, and new software-testing tools throughout the development and product release process. We estimate that the cost to the Windows division alone has been more than $200 million, and the SD3+C process is being instituted across all of our product and service groups. Of course, customer systems are complex and quite diverse, so it's important to understand that this is a long-term initiative. There is clearly more work to do, but at end of year one, we feel good about the progress we are making and especially proud of the enhancements we've made in security and reliability engineering for Windows Server 2003.

InformationWeek: What are the most important security changes and improvements in Windows Server 2003?

Veghte: Windows Server 2003 was designed and built with enhanced security as a top priority. Under the SD3+C model, we're working to make our products more secure by design (which means that the flaws are removed and the right features are in the products), more secure by default (out of the box, they are configured for security by turning off features that are not immediately used), more secure in deployment (customers have tools to secure their environment) and communications about security (we tell customers what we know when we know it). Just a few of the important changes we have made to Windows Server 2003, under the SD3+C process include the following:

Secure by Design: Internet Information Services (IIS) 6.0 has been redesigned to reducing potential attacks by restricting network access. Common Language Runtime (CLR) software engine helps to ensure a safe computing environment by reducing the number of bugs and security holes caused by common programming mistakes.

Secure by Default: The product will ship in a locked-down state, with more than 20 services turned off by default or running with reduced privileges. IIS 6.0 will ship turned off by default in Windows Server 2003. Internet Explorer technologies in Windows Server 2003 use a new Enhanced Security Configuration by default. Password security has been strengthened so that users cannot log on remotely using any account with a blank password. This reduces the potential of remote network attacks due to poor password practices.

Secure in Deployment: Public Key Infrastructure Services (PKI) have been significantly enhanced to provide customers with a simple certificate infrastructure to improve security in IPSec-based VPN and network communications, wireless authentication using 802.1x, smart-card logon, encrypted file system, and other services. Protected Extensible Authentication Protocol (PEAP) offers encrypted password-based authentication to enhance the security of wireless connections. PEAP is a flexible security alternative for customers who need wireless productivity but cannot devote the resources needed to deploy a full PKI infrastructure. Authorization Manager provides role-based authorization within applications, which makes it faster and easier for system administrators to manage end-user access to Web services.

InformationWeek: To what extent will, or should, Windows Server 2003's reliability and security improvements drive upgrades among customers?

Veghte: Reliability and security are absolute "must-haves"-you don't even get to have a discussion with a customer without these, and the improvements we've made in these areas are great reasons to choose Windows Server 2003. What will really drive migrations, though, are the enhancements we've made that allow customers to achieve cost reductions via things like server consolidation, faster application development, better performance, and easier management. These are all things that will deliver greater return on IT investments. We're already seeing early adopter customers report 30% or more savings from moving to Windows Server 2003. Because organizations can realize significant advantages and immediate benefits in security, reliability, and productivity-all of which drive a very real and demonstrable value to the bottom line-by upgrading to Windows Server 2003, we believe this will prove to be a very compelling upgrade, especially for Windows NT Server 4.0 customers.