Opinion: Upcoming Service Pack Doesn't Change Much -- And That's Good
All the emphasis right now is on Windows XP SP2 -- and rightly so. But
there's another Windows service pack just around the bend, and if early
indications are accurate, Windows Server 2003 SP1 shows how far
Microsoft has come in terms of OS security.
There are many changes in SP1, currently scheduled for release in the
first half of next year. They include the biggest security enhancement,
the Security Configuration Wizard (SCW). The SCW will be able to
determine what role a particular server plays on a network, and turn
off all non-essential services on that box, considerably tightening up
That's a nice feature to have, along with some of the other
enhancements. But it's safe to say that Windows 2003 SP1 isn't an
essential upgrade -- and that's a good thing, believe it or not. It's a
mantra in the IT world that you don't upgrade OSs (at least Microsoft
OSs) until at least the first service pack is released. The belief is
that the service pack will squash the big bugs and unravel the major
kinks, making it safe for data centers.
The difference with Windows 2003 SP1 is that there aren't huge security
holes to fix, the way there were with, say, XP SP2. The SCW, for
instance, merely does what an admin could do by hand -- dig down a
little and turn off services. It doesn't plug a gaping hole; it simply
makes the admin's job more efficient.
Last week, I talked at length to two Microsoft employees who work in
the IT department. They're straight-shooters when it comes to their
employers' products: they see themselves, like you do, as Microsoft
customers who have to clean up the messes left by bad Microsoft
software. They also do early beta testing of server products, and have
been running Windows 2003 SP1 for awhile now. They were overwhelmingly
positive about SP1, noting that the upgrade mostly makes configuration
changes, not changes to core OS functionality or operations.
That tells me that Windows 2003 was pretty good out of the box, which confirms much anecdotal evidence and media reports about the OS's
relative security in its first iteration. How often have we seen that
come out of Redmond?
Maybe that $200 million code review, when Microsoft pulled its
developers off other projects to comb through the OS for security
glitches, has paid some dividends after all. I'm not claiming we've
entered the era of Trustworthy Computing (after all, IE is still a
shipping product), but the fact that Windows 2003 SP1 isn't something
you have to slap on your servers the moment it's released signals a sea
change in Microsoft's approach to security.
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.