Some of you are probably still reeling from the impact of Windows XP Service Pack 2 on your desktop computers. Now, start getting ready for similar, but not quite as invasive, changes coming to Windows Server 2003 with the release of this product's first service pack in 2005. The impact at the server side of the equation is extremely important to consider before you roll out SP1.
Major changes to existing components
Besides adding a number of new features discussed later in this article, service pack 1 for Windows Server 2003 introduces significant changes to Windows Server 2003 servers. If you're familiar with Windows XP SP2, you've already gotten a taste of the changes you can anticipate in WS2K3 SP1.
Most prominently, SP1 introduces sorely needed security enhancements to Internet Explorer, which suffers from a number of common attack vectors by malicious code—particularly ActiveX-based code. SP1 makes it more difficult for ActiveX controls to execute without the knowledge of the user. Further, SP1 makes it more difficult for a site to automatically resize an IE window containing a running, malicious program hidden from the user. Programs that operate in this way can include keystroke loggers and other software that isn't conducive to a secure environment.
A little more behind the scenes, SP1 enforces a stricter set of privileges on vulnerable services such as RPC and DCOM, favorite targets of hackers. SP1's RPC and DCOM services require a greater level of authentication by client services before they can be used, helping to make them less vulnerable to exploit.
Microsoft has also taken steps to harden the included Outlook Express e-mail program by providing for the use of plain text e-mail versus HTML. Seriously security-minded people don't use HTML e-mail as it opens up the potential for e-mail-based attacks. Outlook Express also includes capability to display the text-only portions of an HTML e-mail, similar in functionality to Outlook 2003. In this mode, an external Web server is not contacted to download inline HTML content, helping to protect the user from accidentally verifying his e-mail address to a spam originator.
Some might look at Internet Explorer and Outlook Express enhancements and wonder why these would be common applications at the server level. After all, you could always just disallow their use. However, keep in mind that IE and Outlook Express could be very important applications in environments using the Terminal Services component of Windows Server 2003. Further, SP1 includes Windows Media Player 10, which adds new features (including more digital rights management software, unfortunately), but does fix potential security problems as well.
As Microsoft points out in its documentation, SP1 "shrinks the attack surface of Windows Server 2003." It's important to note that it does not say it "eliminates" the attack surface, but any progress in hindering the ultimate exploit of a Windows system is good in my book. These are just some of the major, high-level changes taking place in SP1. Under the hood, the details for these changes address a great number of security issues. Take a look at the full SP1 documentation available on Microsoft's Web site for more information.
SP1 adds a number of new features to Windows Server 2003. Most new features are designed to enhance the security and stability of the operating system.
Like Windows XP SP2, SP1 for Windows Server 2003 replaces the Internet Connection Firewall with a full, stateful firewall simply called Windows Firewall. However, unlike XP SP2, WS2K3 SP1's firewall is not enabled by default. It's set to Off during the SP1 installation and is only enabled during the new Post-Setup Security Update, discussed below. Of course, you can opt to enable the Windows Firewall to protect your server, but be prepared for some administrative overhead as you make sure your applications continue to be able to communicate with clients.
A brand new feature, never before seen in Windows, Post-Setup Security Updates (PSSU) protect your server during the dangerous time between a clean installation and the time you install critical security updates. Previously, servers were open to attack during the time when the system remained unpatched. PSSU uses the new Windows Firewall to block all incoming traffic to the server until such time as critical updates are applied. PSSU also helps administrators configure Automatic Updates for servers. Personally, I'm not a huge fan of automatic updates at the server level without some kind of intervention from an administrator, particularly for updates that change the behavior of applications.
Also included with SP1 are the RQS and RQC utilities, which help administrators responsible for remote desktop computers to ensure that their desktops are safe for the environment. RQS and RQC comprise the Network Access Quarantine Control feature (also called VPN Quarantine) of SP1 and can be configured to deny entry to a private network by computers until an administrator-defined script validates the safety of the system. It's important to keep in mind that Network Access Quarantine in SP1 is used only for remote access connections. The next version of Windows—Longhorn—is expected to include a more full-featured service called Network Access Protection, which extends this validation beyond remote access to DHCP and IPSec communications.
Beyond just additional software to help increase the security and availability of Windows servers, SP1 also includes support for some hardware initiatives from Intel and AMD designed to protect a system from exploitation. Called "no execute" or "data execution prevention", SP1 supports the processor's ability to make sure programs aren't accessing areas of RAM that they aren't supposed to.
SP1 Release Candidate installation
First, the requisite disclaimer: Don't install the SP1 RC on a production server. You'll probably end up regretting it, and you never know what will change between this first RC and the final SP1.
With that out of the way, I'll go over a quick sample installation of the SP1 RC so you can get an idea of what's involved in the installation. I'll also show some screenshots after the installation is complete so you can start to see what's changed.
The first step in the installation, as you might expect, is to download the RC for SP1 from Microsoft's Web site. You can get the file here.
Once downloaded, you'll need about 400 MB of disk space in order to extract the contents of the download. To extract the files and start the installation of SP1, double-click on the file you downloaded.
The first screen of the installer, shown in Figure A, just gives you a basic overview of things you should do before installing the SP1 RC. It's pretty standard stuff, but I wanted to include the screenshot for completeness.
|Back up your server before installing SP1.|
Next, you get to decide where you'd like to back up your original system files in the event of a problem with SP1 (Figure B). If you run into trouble down the line, these files give you the ability to roll your system back to its pre-SP1 configuration.
|Decide where you want uninstall information stored.|
With the previous step out of the way, the installer makes sure you have enough disk space to perform the installation and then does so. The process takes a while since the impact of SP1 on your system is fairly widespread. My test installation for this article took around a half hour to complete. A reboot is necessary after installation completes. After the reboot, a quick check of the computer's properties shows a screen similar to that in Figure C.
|Service Pack 1 is running on this server.|
You've read that SP1 includes a number of changes and, if you're familiar with XP SP2, you've already seen some of them in action. For example, the firewall configuration screen (Start -> Control Panel -> Windows Firewall) is shown in Figure D.
|The Windows Firewall replaces the Internet Connection Firewall.|
Prior to WS2K3 SP1 and XP SP2, Outlook Express was a major security risk when it came to HTML mail. Now, with the ability to block certain external content, reading mail is much safer. The option is enabled on the Security tab at Tools -> Options in Outlook Express, as shown in Figure E.
|Block external content in Outlook Express.|
Beyond the few screen shots shown here, SP1 affects Windows servers with new updates and restrictions that might cause problems with existing applications, so extensive testing needs to be done. Also be prepared for Windows Server 2003 R2, due to be released after SP1. R2 will combine all updates and service packs for WS2K3 into a single upgrade.