A production goal based on the Trustworthy Computing Initiative started by Bill Gates in 2001 was for Windows Server 2003 to be the most secure version of the Windows operating system to date. It was a far-reaching goal designed to curb the perception that Windows operating systems are inherently insecure. The simple truth of the matter is that the Windows operating system is very, perhaps even extremely, secure. You can change options that lock down the server and restrict access with fine precision. The problem, however, is that the Windows operating system didn't ship in locked-down mode; it shipped with many of the major security features unlocked, making the system very open for access.

Windows Server 2003 resolves many security issues simply by locking down the security "out of the box," and that's a good thing, trust me. You'll notice right away new permissions for the volume roots and changes in how IIS is used and installed. For volume roots, permissions are changed so that the special identity Everyone has only Read and Execute permissions, while members of the Users group have Read, Execute, and limited Change permissions. (They can create only folders, not files, at the volume root level. Once they create subfolders, they can create files within the subfolders.)

IIS services are installed only if you elect to install them; and when you do install them, the default installation allows only static HTML files to be served. All other functions and types of content must be specifically enabled. You can change the settings, of course, but the default configuration does help ensure servers are inherently more secure out of the box.

IPSec provides end-to-end encryption of all data packets transferred between computers at the transport layer (level 3 of the Open System Interconnections, or OSI, model). It is considered to be one of the best ways to secure data packets and provides an enhanced layer of security against attacks, whether systems are on the public Internet or a private network. IPSec was included in Windows 2000 and has been extended in Windows Server 2003 with a new IP Security Monitor MMC snap-in, new command-line functionality in Netsh for configuring IPSec, expanded options for IPSec policies, and IPSec extensions to Group Policy for troubleshooting IPSec policies. Windows Server 2003 also supports dynamic key determination using the Institute of Electrical and Electronics Engineers (IEEE) 802.1x authentication standard for secured wireless LANs, which is an improvement over Wireless Equivalency Protocol (WEP). Both technologies can help ensure wireless communications are secure.

Windows Server 2003 also supports secure IP communications over Network Address Translation (NAT), or more specifically, IPSec NAT traversal. Yes, it's raining acronyms again, but it's all for the greater good, trust me. Standard NAT traversal, a technology first included in Windows XP and now also available in Windows Server 2003, allows computers on one private network to communicate with computers on another private network through a router when previously this wasn't possible because private IP addresses are nonroutable.

NAT comes into the picture in relation to the public Internet. NAT translates the private IP addresses used on your network to public IP addresses that can be used to make requests and communicate with computers in the public domain. NAT doesn't allow you to communicate between private networks, however, which is why NAT traversal is needed. NAT traversal allows the routers and/or firewalls between two private networks to make requests and communicate with each other by dynamically remapping port numbers. The gotcha is that standard NAT traversal isn't secure, which is why Windows Server 2003 includes IPSec NAT Traversal. With IPSec NAT Traversal, computers using NAT on separate private networks can communicate with each other using secure, encrypted communications.

Windows XP introduced Microsoft .NET Passport, a technology for authenticating logons and enabling secure communications with .NET Passport–enabled sites. Web software, such as MSN Instant Messenger, is .NET Passport–enabled, as are Web sites, particularly e-commerce sites. This allows easy logon authentication and secure communications once logon is complete. Now that Microsoft .NET Passport support is included in Windows Server 2003, a .NET Passport–enabled client can log on to a Windows Server 2003 network using its secure credentials. Thus, the same .NET Passport that allows users to access Web software and e-commerce sites can be used to create a secure connection to an organization's network.