IKIBLOGKU

Win9X/ME

• No user or security infrasturcture (largely obsolete)

WinNT

• Highly buggy RPC libraries make owning RPC services easy — RPC data structures are not verified by default the way they are in Win2K, so almost any bad data will make them crash.
• Doesn’t support some NTLMv2 and other authentication options, making sniffing nicer.
• IIS 4.0 runs entirely as system and doesn’t restart after it crashes.

Win2K

• NTLMv2 makes headway among entirely Win2K installation bases.
• RPC libraries much less buggy that NT 4.0 (which isn’t saying much).
• SP4 — Exception registers are cleared.
• IIS 5.0 runs as system, but most URL handlers don’t run as system (with the exception of FrontPage, WebDav, and the like).

WinXP

• Addition of Vectored Exception Handling makes things easier for heap overflows.
• SP1–Exception registers are cleared.
• IIS 5.1–URLs are limited to a reasonable size.
• SP2 introduces firewall, heavily modifies RPC, introduces Data Execution Prevention (DEP), SafeSEH makes exploiting exception handlers harder, various other miscellaneous security improvements.

Windows 2003 Server

• Entire OS compiled with stack canary, including kernel.
• Parts of IIS moved into the kernel.
• IIS 6.0 still written in C++, now runs under an entirely different setup with a management process and a bunch of managed processes, each of which can serve port 80/443 from particular URLs and virtual hosts.
• Can finally detach from a process without it crashing. In previous versions of Win32, if you attached to a process with the debugger, detaching would forcefully kill it. This was useful sometimes, but mostly just annoying.

Windows Vista

• Everything compiled with a modified, better version of the / GS stack canary.
• ASLR (Address Space Layout Randomisation) makes most exploits slightly harder; can be serious difficulty when combined with DEP.
• Firewall now filters outbound traffic.

Source: The Shellcoder’s Handbook 2nd Edition.