Security Watch
The Genesis of Multi-Role Windows NT Servers
The evolution of Windows NT threatens its survival.
Several weeks ago, I wrote about a vulnerability in the
Computer
Associates'
Brightstor (formerly ArcServe)
buffer overflow. That led to questions from readers about why Windows server
roles aren't always separated. For example, why isn't a backup server only a
backup server, instead of also being commonly used as an extra Backup Domain
Controller, file/print server and so on?
The answer requires a knowledge of Windows server history. In 1992, when Windows
NT 3.1 was first released, there was no cost difference between servers
and desktops. Licensing was simply per seat, and based solely on the fact that
you were running a licensed Windows box, so it didn't matter whether you implemented
a server or workstation. You could economically separate the various roles a
server might have onto multiple machines, including desktops. (Netware users
might remember the days when it was possible to have a Novell server also running
a desktop console; Microsoft was simply following suit.) You could have a desktop
serve as a file/print server, BDC or whatever server role you might want.
When Windows NT 3.5 was introduced, the cost of servers
increased, and Microsoft also unveiled Client Access Licenses
(CALs) in addition to the operating system license the client already had. Given
Microsoft's huge marketing push about NT's multi-tasking capabilities, economics
made it imperative that NT servers take on multiple roles. At the same time,
hardware requirements increased, adding considerably to server cost.
Contributing to the push of getting servers off of non-server hardware was
the Bob Denny debacle. Denny had developed the first
Web server for NT. It didn't discriminate, working on both workstations and
servers. Microsoft, however, hadn't planned on NT Workstation being used as
a server. It had hard-coded performance metrics in Workstation to limit its
functionality as a server; one example was limiting the number of simultaneous
connections. Denny had implemented numerous workarounds so that his Web server,
whether run on a workstation or server, worked equally well.
As a result of the Denny Web server, Microsoft decided to end server-on-desktop
usage. With the release of NT 3.5 came license agreement changes which stated
that workstations couldn't be used as servers, and new technology that broke
many of Denny's workarounds. Windows NT 3.51 also
increased the server license costs even more.
By the time of NT 4.0, the use of servers for as
many roles as possible had become part of the NT culture. Cost concerns aside,
people implementing NT servers simply thought of them as multi-role, as if that
had been the plan all along.
At about the same time, the Internet started coming
to prominence. Although earlier versions of NT had been used frequently on the
Internet, few had been used in fully-exposed roles subject to hack attacks from
the Internet.
Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here. |
|
|
But Internet-exposed NT 4.0 servers became commonplace and the security pitfalls
of multi-role servers became obvious. Combining so many uses on a single server
makes it extremely difficult to properly secure, and compromise of one component
can lead to the compromise of other components. As networks full of multi-role
NT servers were connected to the Internet, the importance of role separation
grew.
Role separation has always been important. Connecting to the Internet doesn't
make role separation any more important, but Windows networks had been seen
as proprietary until that point, and the thinking was they were less susceptible
to attack. After all, who was going to be sending non-routable NetBEUI packets
across the Internet?
Today, role separation is far better understood in Windows environments. But
cost considerations still dominate management, leading to the present-day situation
in which far too many Windows servers are still multi-role.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.