Microsoft Ships Windows Server 2003 SP1 Release Candidate

"This is more than the typical service pack," said Michael Cherry, an analyst with Directions on Microsoft, a Redmond, Wash.-based research group that specializes in tracking Microsoft's moves. "It has changes, some new features, not just a roll-up of previously-released security patches."

In that regard, Cherry said, the release candidate of Windows Server 2003 Service Pack 1 (SP1) is very much like the security-conscious Windows XP Service Pack 2 (SP2).

"SP1 includes those changes to XP SP2 that makes sense on the server side," Cherry said, including Data Execution Prevention (DEP), which is what was once called "no execute" or NX. DEP reduces the chance of an attack causing a buffer overflow, a now-common tactic by hackers to gain control of systems.

Other changes in Windows Server 2003 SP1 that resemble Windows XP SP2 range from revamped security on the vulnerable DCOM and RPC protocols (which were exploited by 2003's MSBlast worm) to a more secure Internet Explorer. SP1 also automatically blocks all incoming network traffic to a new server until the latest patches are downloaded and installed, a technique used to ensure that fast-acting network-attacking worms can't infiltrate an exposed server.

"That sorta provides a safety net," said Cherry.

Microsoft's also added other new features to SP1, including something called the Security Configuration Wizard that walks administrators through the process of reducing the server's attack vulnerability by setting options to block unnecessary ports, change pertinent registry keys, and configure audit settings.

"Microsoft's moving more and more towards a role-based definition of servers," said Cherry, "and has been looking at what should be [turned] on for various different roles, such as a file server or a Web server." The wizard automatically sets options depending on the type of server role the administrator chooses.

All told, the focus of SP1 is definitely security. "Security is pretty high on everybody's mind," Cherry agreed.

With the service pack boasting new features, Cherry recommended that companies expecting to deploy SP1 when it goes final in 2005 to start testing this release candidate now. "Even though Microsoft's calling this a "service pack," it has new features, and will require more testing than a standard service pack that is only a collection of previously-published patches."

Now's the time, he added, since Microsoft is terming the code as a "release candidate," meaning that features are set and very unlikely to drop out or change significantly. "This is stable and testable," Cherry said, "so you can start looking at it to decide if its features are worthwhile to your organization."

The 316MB 32-bit version of the release candidate is available here on Microsoft's site, while the 396MB 64-bit edition is available for downloading here.

Later in 2005 and after SP1 is out the door, Microsoft is expected to debut Windows Server 2003 R2, an interim release. Microsoft's server roadmap calls for major releases about every two years, with interim releases like R2 alternating with major updates, according to Cherry.