Blazing the Windows 2003 SP1 Trail
For those of you who haven't gotten around to installing Microsoft's Windows 2003 Service Pack 1 yet, due to time constraints or trepidation at Microsoft's penchant for breaking as much as it fixes in is Service Packs, let's spend some time on this latest of Microsoft's OS Service Packs before you dive in. Pioneers, the saying goes, are the ones with the arrows in their backs. We took a few arrows on the way to installing Windows Server 2003 SP1, so you could hitch your wagon and head out, too.
Windows 2003 SP 1 was released at the beginning of April 2005 and is the second stage of the Microsoft security initiative, called "Springboard," from which Windows XP Service Pack 2 originated in August 2004. It not only contains the usual bug fixes and performance tweaks, but also features a strong concentration on security issues, since Microsoft was beat up pretty badly over security issues in 2003.
The Good News
Windows 2003 SP1 contains many of the new features that previously appeared in Windows XP SP2, although these are installed and configured a bit differently for the server platform. For example, there's the Windows Firewall, which is simply enabled by default in Windows XP SP2. It's enabled during slipstreamed (new) installations of Windows 2003 SP1 too, to prevent network-based attacks during installation. However, only afer nagging you to apply any additional subsequent patches with Post Setup Security Updates (PSSU), it is then disabled on the server unless you re-enable it. This makes sense if you think about it. Locking down a new installation of Windows 2003 until all latest patches are applied probably isn't a bad idea.
A few other items that debuted in Windows XP SP2 and reappear Windows 2003 SP1 are Wireless Provisioning Service (WPS), some COM and DCOM security changes, Internet Explorer changes, and DEP (Data Execution Prevention).
There are some definite application incompatibilities and gotchas in Windows 2003 SP1. Surprisingly, many of the application incompatibilities or gotchas that surface in Windows 2003 SP1 are products from Microsoft. Fortunately, Microsoft has already devised patches and fixes for most of them.
Wireless Provisioning Service helps you in setting up wireless networks. In Windows XP SP2, Wireless Configuration Wizard and WPS automates the process of connecting to and configuring wireless networks, making it easier and more secure for users to connect to corporate or public Wi-Fi hotspots. With WPS on Windows 2003 SP1 and IAS, Wireless Internet Service Providers (WISPs) can provide pay-per-use, monthly subscription, and long-term Internet access to new and existing customers through wireless access points deployed in public areas or on corporate wireless networks.
Changes to Internet Explorer include local-machine lockdown, pop-up blocking and add-on management, which allows you to control the installation and removal of add-ons in IE. This feature also allows you to see the add-ons that are installed, which were very difficult to see before.
Windows 2003 SP1 also includes software-based DEP (Data Execution Prevention) memory protection technology, which first appeared in Windows XP SP2. This protects your server against the insertion of malicious code into areas of computer memory reserved for non-executable code, thereby reducing exploits of exception-handling mechanisms in Windows. Many of the latest processors also have a hardware-based DEP which prevents the execution of code in memory regions designated for data storage. For instance, Dell PowerEdge servers shipped since October 2004 have NX (no-execute) processor capability. Hardware-based DEP keeps track of memory locations designated as 'non-executable.' If a page reserved for non-executable code attempts to execute code, the hardware catches the code and prevents the code from running.
Windows 2003 SP1's software-based DEP is enabled by default, regardless of the hardware-based DEP capabilities of the processor. If your server processor has DEP capabilities, then Microsoft's software-based DEP adds another layer of security checks to prevent malicious exploitation of Windows 2003's exception-handling mechanisms.
This service pack is heavy with security enhancements and tools, but the biggest and most highly publicized one is the Security Configuration Wizard (SCW).
(Click for a larger image)
Oddly, once SP1 is installed, an icon for SCW appears on the server's desktop. However, this is misleading because at this point, the Security Configuration Wizard is not yet installed. It must be installed seperately using Add/Remove Programs. SCW allows the administrator to configure server security policy at a very granular level enabling or disabling services, protocols, and features according to the role of the server. This security configuration is stored in XML format, which can be exported and applied to other Windows 2003 servers that perform the same roles, for instance, Exchange servers.
After Windows 2003 SP1 is installed, you'll be presented with a Post-Setup Security Updates (PSSU) screen that pesters you to update the server with any pending security updates and to configure Automatic Updates. Until this screen is dealt with (or dismissed, since there may be few updates as of this writing), all inbound network traffic to the server is blocked. You must click 'Finish' for inbound traffic to be allowed.
Another less glamorous but still very useful goodie in Windows 2003 SP1 is VPN Quarantine, which allows you to deny VPN access to PCs that connect to your servers, but are not up-to-date with security software you require.