Some of you are probably still reeling from the impact of
Windows XP Service Pack 2 on your desktop computers. Now, start getting ready
for similar, but not quite as
invasive, changes coming to Windows Server 2003 with the release of this
product’s first service pack in 2005. The impact at the server side of the
equation is extremely important to consider before you roll out SP1.

Major changes to existing components

Besides adding a number of new features discussed later in
this article, service pack 1 for Windows Server 2003 introduces significant
changes to Windows Server 2003 servers. If you’re familiar with Windows XP SP2,
you’ve already gotten a taste of the changes you can anticipate in WS2K3 SP1.

Most prominently, SP1 introduces sorely needed security
enhancements to Internet Explorer, which suffers from a number of common attack
vectors by malicious code—particularly ActiveX-based code. SP1 makes it more
difficult for ActiveX controls to execute without the knowledge of the user. Further,
SP1 makes it more difficult for a site to automatically resize an IE window
containing a running, malicious program hidden from the user. Programs that
operate in this way can include keystroke loggers and other software that isn’t
conducive to a secure environment.

A little more behind the scenes, SP1 enforces a stricter set
of privileges on vulnerable services such as RPC and DCOM, favorite targets of
hackers. SP1’s RPC and DCOM services require a greater level of authentication
by client services before they can be used, helping to make them less
vulnerable to exploit.

Microsoft has also taken steps to harden the included
Outlook Express e-mail program by providing for the use of plain text e-mail
versus HTML. Seriously security-minded people don’t use HTML e-mail as it opens
up the potential for e-mail-based attacks. Outlook Express also includes
capability to display the text-only portions of an HTML e-mail, similar in
functionality to Outlook 2003. In this mode, an external Web server is not
contacted to download inline HTML content, helping to protect the user from
accidentally verifying his e-mail address to a spam originator.

Some might look at Internet Explorer and Outlook Express
enhancements and wonder why these would be common applications at the server
level. After all, you could always just disallow their use. However, keep in
mind that IE and Outlook Express could be very important applications in
environments using the Terminal Services component of Windows Server 2003. Further,
SP1 includes Windows Media Player 10, which adds new features (including more
digital rights management software, unfortunately), but does fix potential
security problems as well.

As Microsoft points out in its documentation, SP1
“shrinks the attack surface of Windows Server 2003.” It’s important
to note that it does not say it “eliminates” the attack surface, but
any progress in hindering the ultimate exploit of a Windows system is good in
my book. These are just some of the major, high-level changes taking place in
SP1. Under the hood, the details for these changes address a great number of
security issues. Take a look at the full SP1 documentation available on
Microsoft’s Web site for more information.

New features

SP1 adds a number of new features to Windows Server 2003. Most
new features are designed to enhance the security and stability of the
operating system.

Like Windows XP SP2, SP1 for Windows Server 2003 replaces
the Internet Connection Firewall with a full, stateful firewall simply called
Windows Firewall. However, unlike XP SP2, WS2K3 SP1’s firewall is not enabled by default. It’s set to Off during the SP1 installation and is
only enabled during the new Post-Setup Security Update, discussed below. Of
course, you can opt to enable the Windows Firewall to protect your server, but
be prepared for some administrative overhead as you make sure your applications
continue to be able to communicate with clients.

A brand new feature, never before seen in Windows, Post-Setup
Security Updates (PSSU) protect your server during the dangerous time between a
clean installation and the time you install critical security updates.
Previously, servers were open to attack during the time when the system
remained unpatched. PSSU uses the new Windows Firewall to block all incoming
traffic to the server until such time as critical updates are applied. PSSU
also helps administrators configure Automatic Updates for servers. Personally,
I’m not a huge fan of automatic updates at the server level without some kind of intervention from an
administrator, particularly for updates that change the behavior of
applications.

Also included with SP1 are the RQS and RQC utilities, which
help administrators responsible for remote desktop computers to ensure that
their desktops are safe for the environment. RQS and RQC comprise the Network
Access Quarantine Control feature (also called VPN Quarantine) of SP1 and can
be configured to deny entry to a private network by computers until an
administrator-defined script validates the safety of the system. It’s important
to keep in mind that Network Access Quarantine in SP1 is used only for remote
access connections. The next version of Windows—Longhorn—is expected to include
a more full-featured service called Network Access Protection, which extends
this validation beyond remote access to DHCP and IPSec communications.

Beyond just additional software to help increase the
security and availability of Windows servers, SP1 also includes support for
some hardware initiatives from Intel and AMD designed to protect a system from
exploitation. Called “no execute” or “data execution
prevention”, SP1 supports the processor’s ability to make sure programs
aren’t accessing areas of RAM that they aren’t supposed to.

SP1 Release Candidate installation

First, the requisite disclaimer: Don’t install the SP1 RC on
a production server. You’ll probably end up regretting it, and you never know
what will change between this first RC and the final SP1.

With that out of the way, I’ll go over a quick sample
installation of the SP1 RC so you can get an idea of what’s involved in the
installation. I’ll also show some screenshots after the installation is
complete so you can start to see what’s changed.

The first step in the installation, as you might expect, is
to download the RC for SP1 from Microsoft’s Web site. You can get the file here.

Once downloaded, you’ll need about 400 MB of disk space in
order to extract the contents of the download. To extract the files and start
the installation of SP1, double-click on the file you downloaded.

The first screen of the installer, shown in Figure A, just gives you a basic overview
of things you should do before installing the SP1 RC. It’s pretty standard
stuff, but I wanted to include the screenshot for completeness.

Figure A

Back up your server before installing SP1.

Next, you get to decide where you’d like to back up your
original system files in the event of a problem with SP1 (Figure B). If you run into trouble down the line, these files give
you the ability to roll your system back to its pre-SP1 configuration.

Figure B

Decide where you want uninstall information stored.

With the previous step out of the way, the installer makes
sure you have enough disk space to perform the installation and then does so. The
process takes a while since the impact of SP1 on your system is fairly
widespread. My test installation for this article took around a half hour to
complete. A reboot is necessary after installation completes. After the reboot,
a quick check of the computer’s properties shows a screen similar to that in Figure C.

Figure C

Service Pack 1 is running on this server.

Sample changes

You’ve read that SP1 includes a number of changes and, if
you’re familiar with XP SP2, you’ve already seen some of them in action. For
example, the firewall configuration screen (Start -> Control Panel ->
Windows Firewall) is shown in Figure D.

Figure D

The Windows Firewall replaces the Internet Connection Firewall.

Prior to WS2K3 SP1 and XP SP2, Outlook Express was a major
security risk when it came to HTML mail. Now, with the ability to block certain
external content, reading mail is much safer. The option is enabled on the
Security tab at Tools -> Options in Outlook Express, as shown in Figure E.

Figure E

Block external content in Outlook Express.

Summary

Beyond the few screen shots shown here, SP1 affects Windows
servers with new updates and restrictions that might cause problems with
existing applications, so extensive testing needs to be done. Also be prepared
for Windows Server 2003 R2, due to be released after SP1. R2 will combine all
updates and service packs for WS2K3 into a single upgrade.