Microsoft Corp. late Wednesday night made the code for Windows Server 2003 Service Pack 1 available to customers as a free download, some two years after the product was first released.
The Redmond, Wash., software company will simultaneously release the code, which includes security enhancements and some reliability and performance improvements, to manufacturing.
In an interview with eWEEK ahead of the SP1 code release, which is available here, Samm DiStasio, a director of Windows Server marketing, said Microsoft did not just roll up existing security fixes with this release, but has also made changes to some root core behaviors in the operating system that will potentially allow classes of exploits to be eliminated rather than just an individual one that had a patch.
Windows Server 2003 was the first product released that benefited from Microsofts Trustworthy Computing initiative, where all code goes through a rigorous screening and audit for potential security issues and other vulnerabilities.
Included in SP1 is a new Security Configuration Wizard, which reduces the attack surface by gathering information about specific server roles, then automatically blocking all services and ports not needed to perform those roles, he said.
The wizard took the guidance that has only been available in paper form on TechNet until now and “really put it into an automated tool that allows users to go out and discover their servers and further lock down the role that they have that server playing,” DiStasio said.
That will help further reduce the surface area and do this in an easy, wizard-driven format, which could be exported in an XML template that could be used for every Web server, in a one-to-many format, DiStasio said.
With regard to protection against malicious attacks and viruses, SP1 has the firewall off by default, except for a clean server install when SP1 blocks all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer.
Once that is done, the firewall can be taken down, allowing users to decide how they want to use the firewall. “This is very important to IT folk as they want to be able to configure the firewall by themselves and not take on our defaults,” he said.
Microsoft has also taken the client inspection, the VPN (virtual private network) quarantine technology, and graduated that from the resource kit into the SP1 release, which is fully scriptable.
In addition SP1 also includes Internet Information Services (IIS) 6.0 Metabase Auditing, which allows administrators to identify potential malicious users should the store become corrupted, while Network Access Quarantine Control components have been added to allow administrators to isolate out-of-date VPN assets, DiStasio said.
The team also worked hard on application compatibility, and Microsoft will be posting a document that maps out all the applications tested and, more importantly, the ones that were found to have regressions or issues.
While the applications tested represent a fraction of the tens of thousands available, it is a good representative sample of 80 percent of applications and certainly reflect the top applications found in most environments, according to DiStasio. Those tested also gave Microsoft most of the behaviors that applications exhibit, “so were really catching the lions share here. But with any service pack, the advice to customers is to test it in their environment to make sure it works first,” he said.
Not only did Microsoft have its Technology Adopter Program (TAP) customers test the code, but it also had thousands of beta testers looking at it. The 50 to 100 TAP customers got every build of the code and also had sign-off power on the quality process around the code as well, DiStasio said.
Asked about plans for SP2, he said that while there are always future milestones planned for the product, “I cant really say what shape those would take at this point. But we are always thinking about what the next serviceability release is that we need to do.”
