Windows Home Server Security Concerns
Microsoft is showing their upcoming Windows Home Server here at the WinHEC conference in Los Angeles. The Windows Server 2003-based operating system will be available later this year pre-installed on extra-small computers made by HP and other companies, and Microsoft now says it will make the OS available through distributors so that enthusiasts can install it on their own spare computers.
Home Server promises to make network storage and sharing simple, and it will also allow for backups and basic monitoring. What's more, you can use it to share files over the Internet, and even set up remote desktop access through it to the PCs in your network. Some useful features to be sure - but security concerns with the two Internet services may spoil the party.
Internet sharing is turned off by default, according to Charlie Kindel, general manager for Windows Home Server. When you enable it, the server uses universal plug-and-play to automatically set up your home router to send connections coming in from the Internet to the Home Server (over ports 80 and 443).
People who connect will be prompted for a username and password you set up, and get access to files you specify.
I'm a big fan of remote access, but while Microsoft's implementation sounds great for convenience, it sounds not-so-great for security. Good network admins go on high alert whenever they find a direct route into their network from the Internet, because that becomes a potential avenue for attack. They know that hackers are constantly looking for these avenues with portscans, and segregate Internet-accessible servers into a separate part of the network (a DMZ).
The remote desktop option is likewise turned off by default, and requires using one login for the Home Server, and then another to access the computer you're trying to reach. The service allows traffic in from the Internet at large over port 4125.
Home Server remote sharing is built on top of Microsoft's IIS version 6, which according to Kindel hasn't had a new vulnerability in years. He also said that when you enable the remote desktop feature, the server will enforce a strong password policy.
As Kindel says, "everyone is going to have to make their own decision" whether to enable the Internet-facing services. But based on what I've heard so far, I wouldn't.
PC World's Marketplace
PC World's Free Whitepapers
tech news tech blogs community & forums laptop prices software reviews downloads
The future will be filled with home servers. All of your stuff available wherever you are. Your own websites running from your home.
This is not going to arrive until broadband is forced to provide as much upload bandwidth as download bandwidth.
When that happens, and you everyone adopts home servers they will be IX based. Linux, Unix, some IX, but not Windows server. Why? ... Because when you actually think about it, that would be crazy.
Your security concerns are way outdated. Get the facts at http://secunia.com. Apache has way more vulnerabilities (including unpatched ones) than IIS has had for the past several years.
This is the wave of the future in spite of any security concerns (which will always be addressed in any event).
I don't see how this will be any different than NAS products already on the market. One example is Western Digital's "My Book World Edition" 1 terabyte Storage System for Remote Access and Sharing. The software (WD Anywhere Access) even has UltraVNC capabilities allowing remote desktop access over the Web.
http://www.wdc.com/en/products/Products.asp?DriveID=279
Just because Microsoft is recognizing the value in this sort of thing doesn't mean it's any less/more dangerous than what's already on the market.