Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


June 2005

Zen and the Art of SP1

Windows Server 2003's first service pack is all about quality
From the June 2005 Edition
of Windows IT Pro
Michael Otey
Feature
InstantDoc #46267
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Distributed COM (DCOM) Articles Here | Reprints
Or get the Monthly Online Pass—only $5.95 a month!

Quality, not quantity: That seems to be the motto for Windows Server 2003 Service Pack 1 (SP1). Although SP1 includes several new features, Microsoft has concentrated on improving application compatibility without disrupting the operation of existing systems. The service pack's new functionality emphasizes that goal.

Attending to its core objective, SP1 includes a rollup of all the Windows 2003 patches and security updates that Microsoft has released since the OS first shipped in April 2003. The service pack addresses the top concerns that customers have reported through Microsoft Product Support Services (PSS) and Windows Error Reporting. Windows 2003 SP1 also adds several new security-oriented features. These changes are evolutionary, not revolutionary, and the kernel and core OS have the same code base as the original Windows 2003 OS.

Security Enhancements
Following Windows XP's lead, Windows 2003 SP1 includes built-in data execution prevention (DEP) technology. DEP is a set of hardware and software technologies designed to prevent buffer-overflow exploits. Windows 2003 SP1 provides both hardware- and software-based DEP. Hardware-based DEP, which will be supported on the AMD and Intel x64 processors, uses the CPU's ability to mark memory to indicate that the contents shouldn't be executed. Software-based DEP runs on any processor that supports Windows 2003 but protects only a limited set of system binaries.

Other important SP1 security enhancements include changes to remote procedure call (RPC) and Distributed COM (DCOM). To reduce the RPC attack surface, the service pack uses reduced credentials to run RPC objects. To accomplish this, Microsoft added new registry subkeys to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC that let Windows 2003 restrict access to the RPC interface. The new RestrictRemoteClient subkey lets you modify the behavior of incoming RPC connections and eliminate anonymous remote access. The new EnableAuthEpResolution subkey restricts the accessibility of RPC endpoints.

The changes to DCOM are designed to reduce the risk of a network attack. DCOM enables remote execution of COM objects. Windows 2003 SP1 strengthens the authentication process required for DCOM to activate COM objects, letting you disable incoming DCOM calls.

Windows Firewall
One security-related enhancement that Microsoft took directly from the XP SP2 release is Windows Firewall. Don't mistake SP1's Windows Firewall as a replacement for Microsoft ISA Server 2004. ISA Server is installed at your network's edge and filters both incoming and outgoing traffic for all systems on the network—one ISA Server system can protect your entire internal LAN from external threats. In contrast, Windows Firewall is a host-based (i.e., personal) firewall that's designed to run on all the servers in your internal network and protect them from threats that originate outside the firewall as well as threats that originate in other systems on your LAN.

Like the XP version, the Windows 2003 SP1 firewall blocks only incoming traffic, not outgoing traffic. You can use the Network Connections dialog box to configure the firewall interactively, or you can configure it using Group Policy or the Netsh command. Windows 2003 SP1 automatically installs Windows Firewall, but to ensure maximum compatibility with existing applications, the firewall isn't enabled by default in an SP1 upgrade installation. If you use slipstreamed media (i.e., an installation CD-ROM that incorporates Windows 2003 SP1) to install a new Windows 2003 machine, Windows Firewall is automatically enabled and blocks all incoming traffic until you respond to the Post-Setup Security Updates (PSSU) dialog box, which I discuss later. This configuration protects the server while you perform the initial system update.

SP1's Windows Firewall works with both Ipv6 and Ipv4 traffic and lets you configure exceptions for your network applications. Microsoft recommends that you use the new Security Configuration Wizard (SCW) to configure the Windows 2003 SP1 firewall.

The SCW
The most important feature of Windows 2003 SP1, the SCW helps you reduce the attack surface of your Windows Server system. The SCW can

  • configure Windows Firewall to block ports
  • use IPsec to secure open ports
  • disable unnecessary services
  • disable unnecessary Microsoft IIS Web extensions
  • disable unnecessary protocols
  • configure audit settings

Considering the SCW's importance, it's ironic that the wizard isn't installed by default. Instead, in keeping with Microsoft's theme of minimal disruptions, the SP1 installation places the SCW icon on the desktop. Clicking that icon, however, only displays the SCW Help files; it doesn't install the wizard. To install it, you need to use Control Panel's Add/Remove Windows Components option, then select the SCW check box, as Figure 1 shows. The installation process adds the Security Configuration Wizard option to the Administrative Tools menu.

When you run the SCW, it prompts you with a series of dialog boxes to identify the role that the system performs. The set of SCW roles is extensive. The Security Configuration Database dialog box in Figure 2 shows an example of a role. Preconfigured roles are stored as XML files in the %winnt%\security\msscw\kbs directory. The security policies that you create are saved in the %winnt%\security\msscw\Policies directory. Because they're XML files, you can edit them and copy them to other servers. One cool SCW feature is its ability to create a Windows security policy from an existing server installation. Doing so lets you select a baseline system that you can configure the way you want and create a policy based on that system's settings that you can apply to other systems. To create a new policy based on an existing system, run the SCW and select the Create a new security policy option. Enter the name of the system you want to use as a model, complete the wizard steps, and save the policy.

The SCW can also roll back the security policies that you created with it. You can roll back a previously installed security policy by running the SCW, selecting the Rollback the last applied security policy option, and entering the name or IP address of the system for which you want to roll back the policy. This function lets you easily return your server to an earlier state if the policies don't work as expected. The SCW can also analyze existing systems to determine whether they're in compliance with your security policies. Windows 2003 SP1 includes the new scwcmd.exe command-line utility, which lets you apply SCW policies from administrative scripts or include a call to the scwcmd.exe utility in the cmdlines.txt file for unattended setup operations.

The PSSU
The PSSU dialog box automatically starts on your first logon unless you used Group Policy to explicitly enable Windows Firewall. Designed to protect the server from external attacks after you initially boot it, the PSSU prompts you to install the most recent system updates and blocks all inbound connections until you click Finish on the dialog box, which Figure 3 shows.

The PSSU offers a link to Windows Update and lets you configure Automatic Updates. If you reboot the system or cancel the PSSU, the dialog box automatically reopens when you restart the system. After you complete the initial setup and click Finish on the dialog box, the PSSU is no longer active.

IE and Other Minor Components
Although Microsoft Internet Explorer (IE) isn't a component you'd typically use in a server environment, because it's part of the OS, IE affects server installations. Considering the number of security problems IE has had, it's not surprising that Windows 2003 SP1 includes all the IE fixes that Microsoft introduced in XP SP2. Those changes and enhancements are numerous, but some of the most notable are

  • pop-up blocking—suppresses the display of pop-up windows
  • information bar—provides notification about blocked content
  • Add-on Manager—lets you control the add-ons that IE loads

Among the updated Windows 2003 SP1 nonserver-related components is the new Windows Media Player (WMP) 10, which contains security enhancements, and Microsoft Office Outlook Express, which can force mail rendering in plain text and block the rendering of images embedded in email messages.

Deploy the Service Pack on Your Systems
Windows 2003 SP1 provides essential OS fixes and security-related enhancements that should be deployed on all Windows 2003 systems. The PSSU, SCW, and Windows Firewall would benefit all installations. I had no trouble with any of the SP1 installations that I performed. I didn't run into any application-incompatible problems or other unexpected problems. I appreciated the unobtrusive way that Microsoft added the new features to the system, which put me in control of both how and whether to use them.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Interact! What Do the Windows Server Developers Have to Say?
Top Viewed ArticlesView all articles
The iPhone as a Mail Device

An Exchange administrator and self-proclaimed "Windows Mobile device wrangler" gives you the scoop on how well the iPhone 3G works for enterprise email, and points out some surprising omissions in Apple's latest release. ...

WinInfo Short Takes: Week of July 21, 2008

An often irreverent look at some of the week's other news, including an iPhone 3G defeat, 180 million copies of Windows Vista in the wild, Microsoft earnings some more Yahoo silliness, Wii vs. Xbox 360, EU vs. Intel, AMD ousts its CEO, and so much more ...

Top Vista Tricks from the Vista Masters

Learn how to work around Windows Vista's User Account Control, create multiple GPOs, and use Task Manager smartly, with these 8 Vista tricks. ...
Security Whitepapers Anti-Virus Is Dead: The Advent of the Graylist Approach to Computer Protection

Getting the Job Done: Comparing Approaches for Desktop Software Lockdown

Instant Messaging, VoIP, P2P, and games in the workplace: How to take back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Shortcut Guide to SQL Server Infrastructure Optimization
With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Continuous Data Protection and Recovery for Exchange
Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Tips to Managing Messaging
Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Drag & Drop Data Mapping Tool
Try this award-winning data mapping, & transformation tool that supports multiple databases, flat files, Web services, EDI, Excel 2007, & more! Free trial for 30 days!

Overcome bloated Windows file systems
Crossroads FMA delivers powerful yet inexpensive data migration

Bandwidth Monitoring Tool from SolarWinds
Identify largest bandwidth users in seconds. Get the free download now.

Speed Deployment of Vista and Microsoft Office
Read this white paper to learn how you can maximize your Vista and Office investments while lowering costs and increasing efficiency.

Integrated Virtualization Done Right
Download this white paper on server virtualization to begin improving resource utilization and lowering operating costs.

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

KVM over IP Solutions
Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound
IT Library Technical Resources Directory Connected Home Windows Excavator SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing