By Francis Chu  |  Posted 2005-05-02 Print this article Print

Service Pack 1 has the potential to tighten the security and ease the management of Microsoft Corp.s Windows Server 2003, but it also has the potential to cause many problems if IT departments do not deploy it with care.

Microsoft released Windows Server 2003 SP1 last month, two years after the release of the companys flagship server operating platform. The service pack provides a strong set of base-line security fixes and core feature enhancements, and eWEEK Labs recommends that administrators deploy it in their Windows Server 2003 environments. The beefed-up operating system may also entice Windows 2000 Server shops to move to Windows Server 2003.

However, administrators must proceed with caution and follow best security practices before rolling out SP1. As with SP2 for Windows XP, SP1 for Windows Server 2003 is much more than a bunch of bug fixes. Also as with Windows XP SP2, SP1 has been the source of many reported problems since its release—most notably, it has caused some other applications, including other Microsoft applications, to break.

SP1 deployment has been largely hassle-free for IT staffs that prepared well. Click here to read more. SP1 addresses known vulnerabilities in Windows Server 2003 by locking down authorization parameters of many key services and disabling others completely. IT managers implementing SP1 will likely encounter unexpected server behavior following SP1 installation, especially on Windows Server 2003 systems that use DCOM (Distributed Component Object Model) or RPCs (remote procedure calls).

eWEEK Labs has run into problems with the service pack on both test and production systems.

For example, during tests, we were unable to remotely administer an enterprise application running on a Windows Server 2003 system that we had updated with SP1 because the application used both RPC and DCOM for its remote management tools. In addition, after installing SP1 on a Windows Server 2003 system that runs a production Microsoft SharePoint portal, we lost much of our access to the portal.

eWEEK Labs recommends that IT managers carefully evaluate and test application compatibility before updating production systems. To ensure that updated servers will run within normal parameters, its especially important to know what application settings need to be modified after SP1 locks down a system.

Windows Server 2003 SP1 is available for download at www.microsoft.com/downloads/search.aspx?displaylang=en or via Windows Update. SP1 will also be available in slipstream versions of Windows Server 2003, including the forthcoming x64 Windows Server 2003 releases.

Click here to read a review of Windows Server Update Services RC1. One of SP1s most welcome and long-overdue features is improved security around DCOM and RPC services. SP1 changes the way COM (Component Object Model) calls are made by checking every request against an access control list, thereby restricting access. SP1 also gains new registry keys that will allow administrators to modify RPC behaviors to eliminate anonymous remote access.

SP1 adds DEP (Data Execution Prevention) technology to the Windows Server 2003 platform. As in Windows XP SP2, DEP performs memory checks in Windows Server 2003 SP1 to protect systems against malicious code exploits.

The operating system can enforce DEP using hardware and software: Both Advanced Micro Devices Inc. and Intel Corp. have shipped DEP-compatible chip architectures, and SP1 adds a set of security checks in the form of software-enforced DEP.

SP1 also brings many administration enhancements to Windows Server 2003.

SCW (Security Configuration Wizard) enables role-based security policy authoring that guides administrators via a series of questions to determine a servers security blueprint—a big improvement over (but a good complement to) the similar Configure Your Server tool in standard Windows Server 2003. During tests, SCW let us quickly shut down services that were not being used and, more important, disable unnecessary Internet Information Services extensions. SCW also helped us identify and block unused ports.

Using SCW, we could author XML-based security templates to roll out security policies to multiple systems. Using different templates, administrators can roll back a system with previously configured security policies before disabling other services. SCW also integrates with Microsoft Active Directory, so IT managers can deploy SCW policies via Group Policy.

SP1 also introduces PSSU (Post-Setup Security Updates), which protects servers from network attacks while they are getting patched. The PSSU feature is enabled during any slipstream version install of Windows Server 2003 with SP1, and it appears the first time an administrator logs on. The PSSU dialog box reminds administrators that all inbound connections are blocked and prompts users to download and install critical updates and configure automatic-update settings.

A feature that was welcome on the desktop side, in Windows XP SP2, wont be so widely embraced on the server side. It made sense to provide Windows Firewall in XP SP2, but its inclusion in Windows Server 2003 SP1 is questionable because most organizations production servers are well-protected behind corporate firewalls. The Windows Firewall will be enabled only during new installations of Windows Server 2003 with SP1.

Another update to Windows Server 2003, set for release later this year and code-named R2, will introduce capabilities including Active Directory Federated Services and new rights and storage resource management features.

R2 is built on top of the SP1 code base, so Windows Server 2003 shops will be able to choose to run some or all of R2s features and to run both Windows Server 2003 SP1 and R2 systems on the same network. Customers on the Microsoft Software Assurance plan will receive R2 at no charge; others will have to purchase separate licenses for R2 in addition to Windows Server 2003 licenses.

Next page: Some SP1 gotchas.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel