Windows Server 2003 shipped earlier this year. I have spent some time evaluating it. The defaults are substantially more restrictive than Windows 2000.
What is different
- IIS 6 is not enabled by default. This is a substantial change; previous versions installed and enabled IIS by default.
- Many other services that were on by default in 2000 are off in 2003.
- The default permissions are more restrictive.
- The management UI emphasises the security implications of configuration changes.
What this means for Trustworthy Computing
The substantial test of Microsoft's commitment is what 2003 ships with. The defaults are meaningfully more restrictive; the visible commitment to secure-by-default has produced visible product changes.
My probability that Trustworthy Computing produces real improvement has shifted up to 90%. Not all of what should change has changed; a substantial portion has.
More as the year develops.