The new security features in Windows Server 2003 improve functionality and shore up some traditionally vulnerable areas. They include the following:
New Standard Accounts.
New Local Service and Network Service accounts remove some services from the highly privileged Local System security context. These accounts also benefit Internet Information Services (IIS) by permitting a web site to be assigned to a non-privileged account.
New handling for anonymous logons limit the vulnerability of Windows Server 2003 to NetBIOS service scanners. The Everyone group is no longer assigned to the access token of an anonymous connection.
It is now possible to store alternate names and passwords to use when accessing servers that are not on the domain. This simplifies managing servers in a DMZ section of a firewall and other standalone servers.
Reduced traffic to PDC Emulator.
If a DC that is not the PDC Emulator receives improper credentials from a user, it caches the result locally to reduce traffic to the PDC Emulator. By default, the user is limited to 10 forwarded requests. From that point forward, the user is denied access based on the cached information for a period of 10 minutes.
Password reset handling.
In Windows 2000, an unauthorized password reset results in gaining access to the cryptographic elements on a machine, compromising encrypted files and secure email. Windows Server 2003 protects cryptographic structures from unauthorized changes to passwords.
Lost password handling.
A new Password Reset Disk feature enables you to regain access to a standalone server if the local password has been forgotten.
Realm trust simplification.
Windows Server 2003 has new methods for building transitive trusts to MITv5 Kerberos realms that simplify the work necessary to integrate open source realms and Windows domains.