Is it fair to say Windows Server 2003 is just XP with the .NET storage extensions bolted on?
No, that’s not accurate. It’s true that the core of windows is the same, many parts of the system are very similar across the two products. But a year and a half, two years ago we were looking at the constant problems we were having with security and hacks. The level of maliciousness of the hacks was getting frightening. We stopped all other work. We got the architecture people to look at each part of the code, and work out how would people attack it, and based on that tried to reduce the surface area, what’s the exposed part of the product, the ways the system was listening to the network. That was the top priority, especially as we were creating new things. We spent a lot of time understanding how IIS (Internet Information Services) was managed, and there are a lot fewer ways to do that now. Each of the new components have well defined threat models analysed by security experts. The older ones have a lot turned off by default so that administrators are aware of what’s running in the
