Windows .Net Server


Most IT organizations distinguish themselves by the operating systems on their servers: “We’re a (name of OS vendor) shop. We don’t use that junk from (OS vendor’s leading rival).” Therefore, it’s not surprising that Microsoft Corp.’s next server OS, Windows .Net Server, puts its best foot forward in the Beta 3 release, which became available mid-November.

Windows .Net Server has previously borne the names of Whistler Server and Windows 2002 Server, and to surface appearances .Net Server is a prettied-up Windows 2000. But there’s more added to this version of Windows Server than just a slick user interface and some changes to the Active Directory schema.

Out of the box, Windows .Net Server supports Microsoft’s new computing paradigm, the .Net Framework, with built-in controls that greatly enhance developers’ and system administrators’ abilities to manage .Net-enabled applications.

For organizations that have bought into – or are considering adopting – the Microsoft message, Windows .Net Server will be a key piece of the puzzle as the preferred host platform for Web services. The server provides the engine for the .Net framework, which combines loosely coupled Web-style applications using XML, with Microsoft’s familiar COM (Component Object Model).

Early versions of .Net packages will work with Windows 2000-based products, but we expect that the best customer experiences will occur after .Net Server ships. Other shops, whether they are using Windows NT/2000 as a platform for basic file-and-print services or already deploying Windows 2000, will be a harder sell.

Even if the economic turnaround begins by mid-2002, when we expect Windows .Net Server to ship, companies are going to look at technology expenditures with a jaundiced eye – the inevitable hangover after the long IT bender of the ’90s. Without a specific need for .Net Framework support, we are inclined to recommend that shops already using Windows 2000 or with a budgeted deployment in 2002 should not change plans, and let someone else work out the inevitable bugs.

The Windows .Net Server family will be available in four versions: Datacenter, Enterprise, Standard, and Web. As implied, the Datacenter Server will be the high-end configuration sold as the Windows 2000 Datacenter Server. It will offer support for 32 CPUs and eight-node clustering and will be available for 64-bit platforms.

Enterprise Server (formerly Advanced Server) will also be available in a 64-bit version, and will continue to support as many as eight CPUs and four-node clustering. Standard Server will support dual and solo CPUs and have as much as 4GB of RAM, for smaller environments and requirements.

The new kid on the block, Windows .Net Web Server, will be targeted as a simply deployed and managed Web server for businesses.

From our early experiences in the InfoWorld Test Center with the Beta 3 Enterprise Server code, Windows .Net Server looks like a solid OS. We were impressed by some new features, such as Shadow Copy, which protects data stored in network shares by providing a view of contents at preset points in time. It allows end-users to retrieve accidentally deleted files or folders without resorting to backup media.

There are caveats, of course; this is beta code after all. We question the decision to employ the Luna user interface developed for Windows XP, which can exact an unwelcome toll on performance, but this is easily disabled by those wishing to wring the most out of their machines.

We approve of Microsoft’s choice to make the IIS (Internet Information Server) Web server an optional, post-install feature. However, although we’re resigned to the presence of browser code on servers, we do object to Outlook Express as an un-removeable item, because that application is the Typhoid Mary of the last few years’ worth of e-mail viruses. Microsoft representatives have promised that the myriad security problems found in Windows NT and Windows 2000 during the past five years have all been tested for in .Net Server and that it’s the most secure Windows Server ever to ship. All we have to say in reply is, it wouldn’t take much.

Security and the related maintenance issues may well be a reason for customers to hesitate before locking into the .Net Server vision. After all, Windows 2000 was already 16 patches past Service Pack 2 as of late November. Most of those patches address security problems, but that does not mean customers are happy about installing them. We can only hope that .Net Server will feature more bootless patches: We know there will be bugs, and someone will find them, but it would be nice if the fix didn’t always involve a complete server restart.

Our concerns expressed, Windows .Net Server looks promising from this final beta code. The enhanced and new management tools provide finer control over applications and server resources than ever before. We wonder how many customers are ready to upgrade server operating systems every other year, but it’s clear that .Net Server will be the best Windows ever.

.Net Framework security is no joke

In the world of IT, giggling usually follows mention of “Microsoft” and “security” in the same sentence. That may change, however, following the release of a white paper by independent security consultancy Foundstone, in Irvine, Calif., on the security of Microsoft’s .Net Framework.

The company’s assessment is based on more than a year of work in 2000 and 2001, during both the Beta 1 and Beta 2 phases of the Framework’s development cycle. This allowed Foundstone a unique opportunity to dig into the .Net Framework and improve the design by recommending tighter security practices.

Foundstone’s review included evaluating the architecture and design of .Net Framework, along with code review, and penetration attempts using likely exploits. We find it encouraging that in 2,800 hours of pounding on the code and its technology from every conceivable direction, Foundstone recommended only a few dozen tracking items — 60 or 70, according to Vice President of Business Development Alan Deane — and only one major architecture overhaul to Microsoft.

Apparently, the .Net Framework in an early version had too many ways for managed applications to access unmanaged code. At Foundstone’s suggestion, the .Net Framework developers “bricked up” many of these potential weak spots, thereby reducing the potential exposure of customers to attack.

The white paper covers most aspects of the .Net Framework, but one key benefit that Foundstone points out is the granularity of the .NET Framework security model, compared favorably in the white paper to that of J2EE (Java 2 Enterprise Edition). This granularity allows for more careful control of the behavior of applications and the resources they access.

Obviously, these conclusions apply to only the .Net Framework — not to Windows.Net Server or to most of the applications that still present security concerns. Foundstone is careful to stress that the .Net Framework security doesn’t exist in a vacuum. Proper system maintenance — and that includes adhering to best practices and promptly applying patches — is crucial to preventing security problems from rearing their ugly heads. We agree and remain infinitely more concerned about running Internet Explorer and Outlook Express than we are about .Net Framework.

Why? Because it looks as if Microsoft got it right this time and built security into .Net Framework from the ground up. Only time will prove how tough the .Net Framework is after attackers have been pounding on it for a year or two, but the foundation appears solid. Foundstone, having performed what we liken to a core sample on concrete, confirms that “Microsoft security” may finally be shedding its punch-line status.


Business Case: Windows .Net Server could be the best platform for Web services upon release. Most shops already have a substantial investment in Microsoft technology and are loath to walk away from it.

Technology Case: Building on the lessons of earlier versions, the improved manageability and support in Microsoft’s Windows .Net Server make it a good choice for shops considering upgrades or server purchases in late 2002 and 2003.