Service Pack 1 has the potential to tighten the security and ease the management of Microsoft Corp.s Windows Server 2003, but it also has the potential to cause many problems if IT departments do not deploy it with care.
Click here to read the full review of Windows Server 2003 SP1.
2
Service Pack 1 has the potential to tighten the security and ease the management of Microsoft Corp.s Windows Server 2003, but it also has the potential to cause many problems if IT departments do not deploy it with care.
Microsoft released Windows Server 2003 SP1 last month, two years after the release of the companys flagship server operating platform. The service pack provides a strong set of base-line security fixes and core feature enhancements, and eWEEK Labs recommends that administrators deploy it in their Windows Server 2003 environments. The beefed-up operating system may also entice Windows 2000 Server shops to move to Windows Server 2003.
However, administrators must proceed with caution and follow best security practices before rolling out SP1. As with SP2 for Windows XP, SP1 for Windows Server 2003 is much more than a bunch of bug fixes. Also as with Windows XP SP2, SP1 has been the source of many reported problems since its release—most notably, it has caused some other applications, including other Microsoft applications, to break.
SP1 addresses known vulnerabilities in Windows Server 2003 by locking down authorization parameters of many key services and disabling others completely. IT managers implementing SP1 will likely encounter unexpected server behavior following SP1 installation, especially on Windows Server 2003 systems that use DCOM (Distributed Component Object Model) or RPCs (remote procedure calls).
eWEEK Labs has run into problems with the service pack on both test and production systems.
For example, during tests, we were unable to remotely administer an enterprise application running on a Windows Server 2003 system that we had updated with SP1 because the application used both RPC and DCOM for its remote management tools. In addition, after installing SP1 on a Windows Server 2003 system that runs a production Microsoft SharePoint portal, we lost much of our access to the portal.
eWEEK Labs recommends that IT managers carefully evaluate and test application compatibility before updating production systems. To ensure that updated servers will run within normal parameters, its especially important to know what application settings need to be modified after SP1 locks down a system.
Windows Server 2003 SP1 is available for download at www.microsoft.com/downloads/search.aspx?displaylang=en or via Windows Update. SP1 will also be available in slipstream versions of Windows Server 2003, including the forthcoming x64 Windows Server 2003 releases.
One of SP1s most welcome and long-overdue features is improved security around DCOM and RPC services. SP1 changes the way COM (Component Object Model) calls are made by checking every request against an access control list, thereby restricting access. SP1 also gains new registry keys that will allow administrators to modify RPC behaviors to eliminate anonymous remote access.
SP1 adds DEP (Data Execution Prevention) technology to the Windows Server 2003 platform. As in Windows XP SP2, DEP performs memory checks in Windows Server 2003 SP1 to protect systems against malicious code exploits.
The operating system can enforce DEP using hardware and software: Both Advanced Micro Devices Inc. and Intel Corp. have shipped DEP-compatible chip architectures, and SP1 adds a set of security checks in the form of software-enforced DEP.
SP1 also brings many administration enhancements to Windows Server 2003.
SCW (Security Configuration Wizard) enables role-based security policy authoring that guides administrators via a series of questions to determine a servers security blueprint—a big improvement over (but a good complement to) the similar Configure Your Server tool in standard Windows Server 2003. During tests, SCW let us quickly shut down services that were not being used and, more important, disable unnecessary Internet Information Services extensions. SCW also helped us identify and block unused ports.
Using SCW, we could author XML-based security templates to roll out security policies to multiple systems. Using different templates, administrators can roll back a system with previously configured security policies before disabling other services. SCW also integrates with Microsoft Active Directory, so IT managers can deploy SCW policies via Group Policy.
SP1 also introduces PSSU (Post-Setup Security Updates), which protects servers from network attacks while they are getting patched. The PSSU feature is enabled during any slipstream version install of Windows Server 2003 with SP1, and it appears the first time an administrator logs on. The PSSU dialog box reminds administrators that all inbound connections are blocked and prompts users to download and install critical updates and configure automatic-update settings.
A feature that was welcome on the desktop side, in Windows XP SP2, wont be so widely embraced on the server side. It made sense to provide Windows Firewall in XP SP2, but its inclusion in Windows Server 2003 SP1 is questionable because most organizations production servers are well-protected behind corporate firewalls. The Windows Firewall will be enabled only during new installations of Windows Server 2003 with SP1.
Another update to Windows Server 2003, set for release later this year and code-named R2, will introduce capabilities including Active Directory Federated Services and new rights and storage resource management features.
R2 is built on top of the SP1 code base, so Windows Server 2003 shops will be able to choose to run some or all of R2s features and to run both Windows Server 2003 SP1 and R2 systems on the same network. Customers on the Microsoft Software Assurance plan will receive R2 at no charge; others will have to purchase separate licenses for R2 in addition to Windows Server 2003 licenses.
Page Three
Windows Server 2003 SP1 addresses, among other things, known vulnerabilities within Windows Server 2003 by tightening the authorization needed for some services and disabling others. This is a good thing, but deployment of SP1 without proper testing and an eye toward reported incompatibilities could wreak havoc on production systems. Following are some of the most potentially problematic issues that have been reported after deployment of SP1. For a comprehensive list of application regression issues, go to Microsofts online Knowledge Base at www.support.microsoft.com/?scid=kb;en-us;896367&spid=3198.
- Exchange Server 2003 users will lose Microsoft Outlook Web Access mailbox access located on an Exchange Cluster. Microsoft has provided a workaround for this issue at go.microsoft.com/fwlink/?LinkId=37488.
- System management tools such as Hewlett-Packard Co.s HP Systems Insight Manager and Dell Inc.s OpenManage will not work with SP1. Shops running Windows Server 2003 should wait until an update is available before deploying SP1 on production servers.
- System Management Server 2003 has had issues with SP1 that require resetting DCOM permissions and enabling remote WMI (Windows Management Instrumentation).
- Issues have been reported with Citrix Systems Inc.s Citrix MetaFrame client connectivity.
- Small Business Server 2003 shops should not install the version of SP1 now available via Windows Update. Microsoft will provide a dedicated service pack for SBS 2003 this month.
Page Four
Best practices: Windows Server 2003 SP1
- Test, test, test The service pack should be tested in a preproduction environment before it is deployed onto production servers. Test all business-critical applications against the service pack to ensure compatibility and to mitigate risks.
- Ensure everything is up-to-date Check all drivers, firm-ware, BIOSes, and monitoring and management tools and make sure they have been updated.
- Application compatibility is key Understand the changes introduced by SP1 and test for changes to application compatibility. To better secure Windows Server 2003, Microsoft has included more computerwide restrictions that may disrupt what are insecure computing methods already in place within your organization. Keep an eye on changes to DCOM (Distributed Component Object Model) and RPC (remote procedure call), in particular.
- Educate yourself Check the Microsoft Windows Server 2003 SP1 support site (www.support.microsoft.com/?scid=kb;en-us;896367&spid=3198) for updates that fix regressions found in application testing.
Source: Microsoft and eWEEK reporting
Next page: Evaluation Shortlist: Related Products.
Page Five
Evaluation Shortlist
Apple Computer Inc.s Mac OS X Server 10.4 Adds 64-bit application support, ACLs (access control lists), services such as iChat Server and Weblog Server and Xgrid software for building compute clusters (www.apple.com)
Linux Kernel 2.6 Major changes include Linux for embedded systems and NUMA (Non-Uniform Memory Access) support (www.linux.org)
Sun Microsystems Inc.s Solaris 10 Provides better resource utilization with Solaris Containers and easier debugging through DTrace diagnostic tools (www.sun.com)
Technical Analyst Francis Chu can be reached at francis_chu@ziffdavis.com.
Check out eWEEK.coms for Microsoft and Windows news, views and analysis.