Opinion: Upcoming Service Pack Doesn't Change Much -- And That's Good

All the emphasis right now is on Windows XP SP2 -- and rightly so. But there's another Windows service pack just around the bend, and if early indications are accurate, Windows Server 2003 SP1 shows how far Microsoft has come in terms of OS security.

There are many changes in SP1, currently scheduled for release in the first half of next year. They include the biggest security enhancement, the Security Configuration Wizard (SCW). The SCW will be able to determine what role a particular server plays on a network, and turn off all non-essential services on that box, considerably tightening up its security.

That's a nice feature to have, along with some of the other enhancements. But it's safe to say that Windows 2003 SP1 isn't an essential upgrade -- and that's a good thing, believe it or not. It's a mantra in the IT world that you don't upgrade OSs (at least Microsoft OSs) until at least the first service pack is released. The belief is that the service pack will squash the big bugs and unravel the major kinks, making it safe for data centers.

The difference with Windows 2003 SP1 is that there aren't huge security holes to fix, the way there were with, say, XP SP2. The SCW, for instance, merely does what an admin could do by hand -- dig down a little and turn off services. It doesn't plug a gaping hole; it simply makes the admin's job more efficient.

Last week, I talked at length to two Microsoft employees who work in the IT department. They're straight-shooters when it comes to their employers' products: they see themselves, like you do, as Microsoft customers who have to clean up the messes left by bad Microsoft software. They also do early beta testing of server products, and have been running Windows 2003 SP1 for awhile now. They were overwhelmingly positive about SP1, noting that the upgrade mostly makes configuration changes, not changes to core OS functionality or operations.

That tells me that Windows 2003 was pretty good out of the box, which confirms much anecdotal evidence and media reports about the OS's relative security in its first iteration. How often have we seen that come out of Redmond?

Maybe that $200 million code review, when Microsoft pulled its developers off other projects to comb through the OS for security glitches, has paid some dividends after all. I'm not claiming we've entered the era of Trustworthy Computing (after all, IE is still a shipping product), but the fact that Windows 2003 SP1 isn't something you have to slap on your servers the moment it's released signals a sea change in Microsoft's approach to security.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


comments powered by Disqus

Subscribe on YouTube