Stay on top of the
latest WS2K3 tips and tricks with our free Windows Server 2003 newsletter,
delivered each Wednesday. Automatically
sign up today!
With very little fanfare, Microsoft released the much-anticipated Service
Pack 1 (SP1) for Windows Server 2003 at the end of March. Compatible with
all versions of Windows Server 2003—with the exception of Small Business Server
2003—SP1 includes many of the security enhancements included in last year’s Windows
XP Service Pack 2 (SP2).
Of course, as evidenced by
XP SP2, service packs can mean more than changes and enhancements; they
also often include disruptions and incompatibilities. To avoid such disruption
and ensure a smooth transition to the service pack, it’s important to understand
the changes and additions before deploying the service pack. To help you out, let’s
look at some of the most significant components of SP1.
One of SP1’s most noteworthy additions is Post-Setup
Security Updates (PSSU), a feature sure to warm the hearts of many
administrators. PSSU locks down a system to all incoming traffic immediately
after installation until an administrator is able to update the server.
This period between the initial installation and the point
when you get the chance to install security updates is a time during which a
Windows server is particularly ripe for attack. PSSU automatically protects
your server with the Windows Firewall until you can apply updates.
Speaking of firewalls, another brand-new feature to SP1 is
the Windows Firewall, which replaces the Internet Connection Firewall that originally
shipped with Windows Server 2003. Unlike XP SP2, the default setup doesn’t
enable this new firewall since this could result in serious disruption to
operations. (However, this is a default
part of the setup for new installations of Windows Server 2003 that include
Service Pack 1.)
With SP1, Microsoft has also taken steps to harden Internet
Explorer and make it more difficult to exploit. This is particularly welcome
news for administrators that provide desktop services using Terminal Services
or Citrix. If you’ve deployed XP SP2, you should already be familiar with the
improvements to IE.
SP1 also changes how IE handles ActiveX controls, reducing
the chances that a malicious program can execute without the user’s knowledge. In
addition, SP1 makes it more difficult for a malicious site to automatically
resize an IE window containing a program hidden from the user. Programs that
operate in this way can include keystroke loggers and other software that isn’t
conducive to a secure environment.
SP1 also includes the Security Configuration Wizard, which helps
administrators disable unnecessary services, block unused ports, and more. It
also helps with configuring Windows Firewall and creating security templates
for role-based server lockdown.
Finally, SP1 also tightens up RPC and DCOM, favorite targets
for hackers. These services now require a higher level of authentication before
someone can use them, making them less vulnerable to exploit by outsiders.
You can download
Windows Server 2003 Service Pack 1 from Microsoft’ Web site. Keep in mind
that SP1 will not automatically deploy to your production servers. Instead, you
must install the update manually.