Stay on top of the latest WS2K3 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!
With very little fanfare, Microsoft released the much-anticipated Service Pack 1 (SP1) for Windows Server 2003 at the end of March. Compatible with all versions of Windows Server 2003—with the exception of Small Business Server 2003—SP1 includes many of the security enhancements included in last year's Windows XP Service Pack 2 (SP2).
Of course, as evidenced by XP SP2, service packs can mean more than changes and enhancements; they also often include disruptions and incompatibilities. To avoid such disruption and ensure a smooth transition to the service pack, it's important to understand the changes and additions before deploying the service pack. To help you out, let's look at some of the most significant components of SP1.
One of SP1's most noteworthy additions is Post-Setup Security Updates (PSSU), a feature sure to warm the hearts of many administrators. PSSU locks down a system to all incoming traffic immediately after installation until an administrator is able to update the server.
This period between the initial installation and the point when you get the chance to install security updates is a time during which a Windows server is particularly ripe for attack. PSSU automatically protects your server with the Windows Firewall until you can apply updates.
Speaking of firewalls, another brand-new feature to SP1 is the Windows Firewall, which replaces the Internet Connection Firewall that originally shipped with Windows Server 2003. Unlike XP SP2, the default setup doesn't enable this new firewall since this could result in serious disruption to operations. (However, this is a default part of the setup for new installations of Windows Server 2003 that include Service Pack 1.)
With SP1, Microsoft has also taken steps to harden Internet Explorer and make it more difficult to exploit. This is particularly welcome news for administrators that provide desktop services using Terminal Services or Citrix. If you've deployed XP SP2, you should already be familiar with the improvements to IE.
SP1 also changes how IE handles ActiveX controls, reducing the chances that a malicious program can execute without the user's knowledge. In addition, SP1 makes it more difficult for a malicious site to automatically resize an IE window containing a program hidden from the user. Programs that operate in this way can include keystroke loggers and other software that isn't conducive to a secure environment.
SP1 also includes the Security Configuration Wizard, which helps administrators disable unnecessary services, block unused ports, and more. It also helps with configuring Windows Firewall and creating security templates for role-based server lockdown.
Finally, SP1 also tightens up RPC and DCOM, favorite targets for hackers. These services now require a higher level of authentication before someone can use them, making them less vulnerable to exploit by outsiders.
You can download Windows Server 2003 Service Pack 1 from Microsoft' Web site. Keep in mind that SP1 will not automatically deploy to your production servers. Instead, you must install the update manually.