Prepping for Windows Server 2003 SP1....
Windows Server 2003 SP1 RTM
is currently scheduled for the end of March 2005. To help you prepare for deployment to your Enterprise I’ve provided the following links to Windows Server 2003 SP1 information. ****
Windows Server 2003 Service Pack 1 Release Candidate
Technical Preview Program
SP1 RC is here! Join Peter Meister – Lead Product Manager for Windows Server 2003 for this conversation and learn about the benefits, features, and new functionality of SP1.
Get a technical overview on SP1 RC, covering Secure Configuration Wizard, Windows Firewall coupled with the new Active Directory groups policies, and VPN Quarantine technologies within SP1 RC.
The following is from the Windows Server 2003 SP1 Product Overview:
What Is in Service Pack 1?
Service Pack 1 provides convenient, comprehensive access to the latest updates, enhancements, and new features for Windows Server 2003. Each of these components allows customers to better leverage the enhanced security, reliability, and performance of Windows Server 2003.
Update management is one of the great challenges of computer security. Despite the challenges of update management, updates will continue to play a vital role in securing enterprise IT until security technology can anticipate every attack strategy and compensate for every vulnerability. While enhancements and new functionality delivered by Service Pack 1 make great strides towards more proactive security, reacting to known threats is still a core mission of Service Pack 1.
Frequent updating is a key to keeping up with exploits as they are discovered. By bundling these updates together in Service Pack 1, Microsoft provides customers, both new and old, with the latest protection for Windows Server 2003.
The updates disseminated by Service Pack 1 cover some of the most basic functionality—and thus remove some of the most important attack points—of Windows Server 2003. These updates include fixes for:
Internet Explorer—Updates to this application include those to prevent unintentional downloads of misrepresented, malicious code and the automatic resizing of browser windows as a ruse to extract sensitive data from employees.
Outlook Express—This update affords users the option of rendering email in plain text rather than HTML. Downloading email as plain text as opposed to HTML provides one more barrier against the spread of malicious code via email.
WebDAV Redirector—By Updating this behind-the-scenes program, customers can access Web-based Distributed Authoring Versioning (WebDAV) servers, such as Windows SharePoint® Services and MSN Communities, as if they were standard file servers. Moreover, this update prevents customers’ credentials (user name, password) from being transmitted over unencrypted channels during such exchanges.
While updates may be a business necessity, they need not be a business problem. Microsoft addresses update-related server down time with the Hot Patching feature in Service Pack 1. Updates that require restarts are a problem for business-critical servers, and they can pose a challenge to the service level agreements of an IT organization. Hot Patching allows customers to apply updates to drivers, DLLs, APIs, or any non-kernel level component of Windows Server 2003 without restarting the server.
In addition to finding and updating security holes before hackers can exploit them, Service Pack 1 includes improvements to functionality that originally shipped with Windows Server 2003. Such enhancements make a great product better and raise the security, reliability, and productivity of Windows Server 2003. Below are brief descriptions of some of the key enhancements included in Service Pack 1:
Stronger defaults and privilege reduction on services—Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves.
Support for "no execute" hardware
—Service Pack 1 allows Windows Server 2003 to utilize functionality built in to computing hardware, from companies such as Intel and Advanced Micro Devices, to prevent malicious code from launching attacks from areas of computer memory that should have no code running in it. For both 32-bit and 64-bit systems, this enhancement closes the door on one of the broadest and most exploited avenues of information attack. ****
Network Access Quarantine Control components included
—Windows Server 2003 SP1 now includes the Rqs.exe and Rqc.exe
components to make deployment of Network Access Quarantine Control easier. For more information, see Network Access Quarantine Control in Windows Server 2003. ****
IIS 6.0 metabase auditing
—The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services (IIS) 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted. ****
Microsoft is taking the opportunity afforded by the release of Service Pack 1 to introduce powerful new functionality to Windows Server 2003.
Windows Firewall—Also released with Windows XP Service Pack 2, Windows Firewall is the successor of the Internet Connection Firewall. Windows Firewall is a host (software) firewall, a firewall around each client and server computer on a customer’s network. Unlike Windows XP Service Pack 2, the Windows Firewall is off by default on Server 2003 Service Pack 1, and must be turned on to begin protecting systems. The Windows Firewall is enabled for a brief time during Service Pack 1 clean installs for the duration of the new Post-Setup Security Updates portion of setup.
Post-Setup Security Updates (PSSU) —Servers are vulnerable in the time between initial installation and having the latest security updates applied. To counter this, Windows Server 2003 with Service Pack 1 uses Windows Firewall to block all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer. After updating, Windows Firewall is turned off until it is configured for server roles. PSSU also guides users through immediate configuration of Automatic Updates.
Security Configuration Wizard (SCW)
—SCW is a wizard that configures server security based upon existing server roles. SCW asks questions about server roles and then stops all services not necessary to perform those roles. SCW will not add roles, but will configure the server around the roles it performs. Like boarding-up unused doors, this new feature helps reduce the attack surface of Windows Server 2003.