Beta Man

One Welcome Service Pack

Our Beta Man offers an early look at what Windows Server 2003 SP1 will bring.

We knew that new features like the Windows Firewall would certainly be in SP1; after all, Win2003 and WinXP are cousins built on the same code base. But it wasn't clear what the actual implementation of SP1 would look like. Would the firewall be on by default? What new security features would be added? What risks would installing SP1 have on our environments?

We've now got the answers to some of those questions, and the news is good.

The Windows Timeline
Microsoft is always trying to come up with a software release roadmap that makes sense both from a development and customer standpoint. Currently, the theory is that operating systems will have about four years between major versions. In between we'll get "Releases" like the forthcoming Win2003 Release 2 (R2). These will include few if any changes to the core OS, but will simply add features—often features which have been Web-released already, such as Automated Deployment Services (ADS). Releases are intended for immediate installation with minimal regression testing.

Service Packs will continue to include core changes to the operating system, requiring more testing to ensure they don't adversely affect applications and services. Hotfixes, of course, will continue to address immediate issues in both security and stability. SP1, then, can be expected to include changes to the way Windows works, roll up past hotfixes and incorporate some important new features.

Microsoft Windows Server 2003 Service Pack 1

Version reviewed:
Pre-Release Candidate
Current status:
Release Candidate
Expected release:
First half of 2005

Windows Firewall
Easily the most talked-about feature in SP1 is the Windows Firewall, which many administrators feared would break every one of their servers, since rumor had it that it would be turned on by default. Rumor was mistaken, this time, though, and the Windows Firewall will not be enabled by default when you install SP1 on an existing Win2003 box. You'll be able to turn the Firewall on, of course, and the new Windows Security Configuration Wizard (SCW, more on that in a bit) can even help automatically configure the Firewall for you. But it's not on by default, so it won't immediately make your servers stop serving. Microsoft realizes that servers are different beasts from clients, and that an on-by-default Firewall might not always be desirable.

In one instance, the Firewall does come on automatically, and it makes for a slick feature. If you install a new Win2003 machine using slipstreamed media (that is, an installation CD which incorporates SP1), the Firewall will automatically be turned on in a "shields-up" mode, allowing outgoing traffic but no incoming traffic. You'll be clearly reminded of this through a Configure Your Server-like Wizard, which displays the Firewall status every time you start the server.

The purpose of this feature is to protect the server while you install the latest patches, anti-virus software and so forth. Once those protections are in place, you can click Finish in the wizard to take the shields down and put the server into normal operation.

This is a feature I'd love to see modified and put in WinXP: "Hi Grandma, welcome to your new PC. We'll activate in a minute but for right now I need to download some updates. Be right with you." This combo of "shields-up" Firewall and aggressive Automatic Updates would be a big help, particularly for the less tech-savvy consumer market.

Beta Man's Routine Disclaimer:
The software described here is incomplete and still under development; expect it to change before its final release—and hope it changes for the better.

The Firewall also includes a new boot-time security feature. Normally, there's a time while Windows is starting that enough of the OS is running to accept incoming network traffic, but the Firewall itself isn't fully engaged. This creates a vulnerable boot-time period during which the server can be attacked. In SP1, both the IPv4 and IPv6 Firewall drivers have a static rule to perform stateful filtering, which is referred to as the boot-time policy. This policy permits basic outgoing traffic critical to startup, like DNS and DHCP, while restricting incoming traffic. Once the Firewall is fully loaded and running (along with its dependent services), the boot-time policy is removed and whatever run-time policy you've configured in the Firewall takes effect. Note that the boot-time policy doesn't work if the Firewall is stopped and set to either Manual or Disabled startup mode.

Security Configuration Wizard
The SCW is perhaps the most important new feature in SP1, making Windows' complex security challenges much easier for mere mortals to understand and deal with. Roughly similar in appearance to the Configure Your Server Wizard that starts when you log on to a new Win2003 machine, the SCW is perhaps the best swing Microsoft has yet taken at the issue of security complexity.

The SCW is a separate Windows component, which only needs to be installed on one server. It produces security templates, which can be used to configure one or more servers, either directly using a command-line tool or via Group Policy. In fact, the SCW allows you to import any existing security templates you've created in the Security Configuration and Analysis (SCA) toolset. This gives you the ability to create one master template with all of your security settings, and ensures organizations that have spent a lot of time developing security templates can take advantage of the new SCW.

The coolest SCW feature is Rollback. If you create and apply a template which turns out to be less-than-stellar ("Jones! Why are all the Exchange servers suddenly refusing client connections?"), one button will back the template out and put you back where you started. Whew.

Highlights of Windows Server 2003 Service Pack 1
Integrated Windows Firewall, which isn’t enabled by default.
"Shields Up" Firewall mode protects new installations until any outstanding updates are applied.
Security Configuration Wizard consolidates and makes sense of complex, security-related configuration issues.
Myriad bundled (and regression-tested) updates help bring your servers up to speed, even if you’ve missed a few patches in the past.
Performance and stability improvements reflect continuing operating system maturity.
Further hardening of Internet Explorer (although still not a much-needed
uninstall option).
More restrictive default permissions and configurations for WebDAV, RPC, DCOM and other components.
Finally, a complete list of everything that the service pack changes.

But making bad decisions with the SCW can be tough because it's designed to make security easier to comprehend. It starts by detecting every possible role your server can play, based on the software (services and so forth) installed. The detection mechanism is based in part on an XML-formatted configuration file, which defines specific roles, their associated services, firewall ports and the like. The XML format is open, allowing third parties to "plug in" to the SCW and have their products included. The SCW can also detect potential roles based on software which could be installed, like DNS or WINS.

Once the SCW detects all of your possible services, you simply indicate which ones you want the server to perform. SCW enables the appropriate services, configures the correct firewall ports and you're ready to go. You can optionally have the SCW disable all services not being used by the selected roles, and even have it configure Windows to disable any new services which appear that are unrelated to the server's designated roles. This is a fantastic security feature that many administrators will appreciate, and it eliminates the guesswork ("Do I need the Server service on an IIS server?") that's been associated with configuring services in the past.

The SCW does more than just configure services, though. It also simplifies the process of configuring Server Message Block (SMB) signing, authentication levels, time sync parameters, Lightweight Directory Access Protocol (LDAP) signing and more, all based on simple questions. Tell the SCW you've still got some Win9x in your environment and it'll permit the NTLM authentication protocol to work; indicate that every machine is either WinXP or Win2003 and it'll max out security levels. The SCW also understands the overhead that things like LDAP and SMB signing place on a server, and allows you to indicate which servers have "available processor capacity" so you can configure appropriate levels of security without bringing already burdened servers to their knees.

For me, once of the nicest parts of the SCW is its clear service-port mapping. No longer will you need to guess which open TCP or UDP ports go with which running services; the SCW knows and can show you in helpful little comments attached to each port listing or service entry.

There's More—Lots More
SP1 contains a dizzying number of changes, many of which are security-related and all of which require some testing on your part to ensure they don't cause problems, especially with in-house and vertical applications. For example, the Distributed Component Object Model (DCOM) security model has changed slightly, and now includes computer-wide access controls that govern all access to DCOM. Regular COM permissions are more detailed, too, providing more granular access control.

Small Business, Anyone?

The improvements in SP1 will be coming to Small Business Server 2003 in due time, probably within three months after SP1 ships. SP1 for SBS2003 will offer everything that the regular Win2003 SP1 offers, while ensuring compatibility for SBS' built-in firewall, Exchange server, SQL Server and so forth. Microsoft’s goal is to get the SBS2003 version of SP1 out as soon as possible while ensuring compatibility with the internal set of SBS services.

— Don Jones

IE picks up the changes from WinXP SP2, including the Content Advisor feature. This layers atop Win2003's existing IE Enhanced Security Configuration (ESC), an optional, installed-by-default feature which severely cripples IE's functionality—and therefore vastly reduces an attacker's ability to exploit IE. In fact, IE picked up a lot of nice features in SP1 (many of which are also present in XP SP2), including add-in crash management, better management via Group Policy, Local Machine security zone lockdown, network protocol lockdown, pop-up blocking and more. You can read more about these features in the SP1 release notes (which I'll discuss in a moment), but frankly I don't recommend using IE on a server unless you absolutely have to. IE still has significant potential for security vulnerabilities, and not using it at all will reduce your attack surface.

Win2003's WebDAV redirector—used for sharing folders over the HTTP protocol—now disables Basic authentication over unencrypted lines, which helps protect user credentials from electronic eavesdropping.

Easily ignored are all the usual improvements that go into a service pack, such as rolled-up hotfixes and general improvements to stability and reliability. SP1, for example, benefits from Microsoft's hard work on 64-bit versions of Windows. Performance tuning in those versions led to insights which have been applied to the 32-bit base code, giving us some performance enhancements throughout Win2003.

Other changes—ones that warrant some testing to make sure they won't break applications or services—include changes to the way the server handles Remote Procedure Calls (RPCs). Win2003 SP1 no longer permits, by default, unauthenticated or anonymous access to RPCs, helping to significantly reduce the attack surface of this oft-attacked component of Windows.

Other reliability improvements in SP1 improve server uptime so much that many early-adopter customers are pushing hard for the SP1 release schedule to be shortened. That's impressive, and it brings us back to the fact that improvements in reliability and stability are—more than Firewalls and Wizards—what service packs are supposed to be all about.

Wanted: Betas for Review
Beta Man is always on the lookout for quality products to review. If you know of a software product that is currently or soon to be in beta, contact Beta Man at don@scriptinganswers.com. Vendors are welcome, but please act early—the meticulous Beta Man needs plenty of lead time.

Better Documentation
Ever looked for a list of everything that's changed, from a functional viewpoint, in a service pack? Me too, but good luck finding it—at least in the past. For SP1, Microsoft assembled a daunting 163-page document that lists every functional change made—at least a third of which seem related to IE, by the way. This is a fantastic document to review before your SP1 deployment, because it'll help you focus your testing efforts on areas that you know have changed in some fashion. For example, the document lets you know that many remote administration tools require TCP port 445, which may be blocked if you've enabled the Windows Firewall. Not exactly a change per se, but something you'll need to consider as part of your SP1 deployment.

SP1 is a far cry from the days when Microsoft claimed to not bundle new features in service packs. However, everything new in SP1 is welcome, from the "security for mere mortals" approach to complex server configuration to the under-the-hood performance improvements. While it's doubtful that enterprises will rush to install SP1 on day one—caution, as always, is called for with a release of this magnitude—everyone should start testing and planning their deployment right away.

comments powered by Disqus

Reader Comments:

Mon, Oct 1, 2007 Antonio Lam Chicago

Poor Booker, I do have good understanding of the modern securty architectures. Just that I don't thing adding a few features can suddenly made Win2003 a good OS. It is still a bad OS, but with some better features than the old one.

Tue, Oct 4, 2005 Haitch London

Mark, the same thing happened to me. Only my copy has sp1 on by default. Does anyone know a resolution??? I get " bad return code 80004015 " in event log.

Thu, Apr 14, 2005 Mark Houston

When I installed the service pack, it locked out my server from being able to be accessed or from accessing anything. It even showed no network connections. Are my default security settings to low in complexity for this new system upgrade to function or do I need to turn something else on???

Thu, Apr 7, 2005 Tom Bye Brighton, Mass

Whats Microsoft?

Fri, Apr 1, 2005 Al Holt Florida

Mr. Jones says, "Microsoft assembled a daunting 163-page document that lists every functional change made." OK, that's great! Now where do we find this document. I've been hunting for it.

Wed, Mar 30, 2005 Pete UK

And it's 'simpler', not 'simplilar'.
And it's 'staff', not 'staffs'
And it's 'equipped', not 'equiped'
And it's 'development', not 'developement'...I could go on; come on Conan, you're not fooling anybody!

Wed, Mar 23, 2005 anon Anonymous

Actually it's "insight", not "insite". So much for the proper use of English. :-)

Wed, Mar 23, 2005 Alexander English Speaking World

Conan the Barbarian wants his sword back. The way everyone has hacked at the english language here only reinforces the fact that neither of you can possibly understand or add any insite to this topic. Go back to playing your games and get off the big boy forums.

IE is commonly used for Terminal Server/Citrix enironments. The Firewall will only be helpful as a second line of defense for the smaller companies who can not afford to purchase decent firewall products. However, any way to make security simplilar will help the small companies who don't have IT staffs to deploy products and solutions that will enable them to compete with the bigger companies without breaking thier small budgets.

Sadly it isn't sucking up to MS that you should be concerned with. MS does controll 80% of the market and that market makes alot of money. MS makes my compnay and myself alot of money. I would rather see more options and enhancements (even if I won't use them) as it shows that they are becoming more flexible and better equiped to fit in to a larger scope of network situations. Plus any developement shows growth and strength in a product. Which further reinforces thier market strenght and longevity. There are millions of networks out there. Almost every one of them has a Microsoft product running in them, but not all Microsoft networks need anything else. Nevertheless my web servers are Linux so I am not a MS lover by any means.

Alex.

Sun, Mar 20, 2005 dune usa

i am getting few problems after i installed windows xp sp1.some1 said me to disable few things ,from where i shall disable the services

Thu, Mar 17, 2005 Muhammed Kazakhstan

I have never seen such kind of thing

Sat, Feb 26, 2005 Mike Curry Maryland

Could this guy POSSIBLY suck up to MS any harder? The vacuum must threaten to cave in his skull, poor deluded fellow.

Sat, Feb 26, 2005 Booker UK

Poor Mr Lam. I recommend you update your understanding of modern securty architectures, else you may find yourself not in a job soon. XP SP2 was great for us. Host based protection via firewall is one important aspect of a defense in depth strategy. Being able to manage the state of a HOST based firewall by server role (which is what SCW does) is critical to achieving security manageability. Being able to distribute these security lockdowns centrally via AD is also crucial to us. Or do you just have a firewall at your perimeter ?? Wake up, that battle is "almost" lost... especially with the tendency to wrapper everything in http. Manage your connections to your servers as well as manage your perimeters. I expect this message to be lost on you. Shame really.... you do your employers a disservice.

Mon, Feb 14, 2005 Antonio Lam Australia

Well, you are telling me 2003 SP1 is good. Unfortunately I still don't understand that it is good. Borrow heavily from XP SP2 is good? Fixed holes in IE is good? Who is using IE on server these days, except for Windows Update? Have firewall is good? Which company that pay little attention to security has no firewall? Who would rely on firewall on Win2003 SP1? AD Template for Security is good? Difficult to understand the reason of writing this article.

Sat, Feb 5, 2005 harish chittoor india

will 2003 sp1 get installed in a system if it has no internet connection of intel(915GAV motherboard)

Fri, Feb 4, 2005 Heini Germany

"... I don't recommend using IE on a server ..."
Running ANY browser with internet access on a server is a potential security threat - especially when working as Administrator!
IE isn't worse at all compared to FireFox, Mozilla, Opera etc.!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.