Microsoft Ships Windows Server 2003 SP1 Security Update

First announced by Microsoft CEO Steve Ballmer in late 2003, and originally slated for delivery in the second half of 2004,Windows Server 2003 Service Pack 1 became available for download on Wednesday from Microsoft's Web site, said Samm DiStasio, director of product management for Microsoft, who confirmed its imminent release earlier this month for CRN. Windows Server 2003 SP1 Is Almost Ready, Are ISVs?

Windows Server 2003 SP 1, the server complement to Windows XP SP 2, offers a new Security Configuration Wizard to help administrators and partners lock down servers more easily out of the box and based on the specific role of the server. The wizard can be used to configure the included Windows Firewall, which is turned off by default.

"We've issued tons of guidance on how to lock down the server but we wanted it hardened in the code and have a step through discovery process for tuning it depending on the role of the server," DiStasio said. "We're taking roles based lockdown to a new level so you can lock down for a web server that if is only being used for Web publishing you can lock down select ports and services and registries to get the exact lockdown you want."

Moreover, changes made to the remote procedure call (RPC) interfaces, the same hardening performed in Windows XP SP2, will reduce the attack surface to the server.

Microsoft also imposed DCOM restrictions to address other server exposure. Both measures will significantly reduce the chance of bugs, viruses and hackers from gaining entrance, Microsoft said.

The key benefits include the security configuration wizard, better RPC Security to prevent attacks and DCOM Security to prevent application viruses, said Rand Morimoto, CEO of Convergent Computing an Oakland, Calif.-based Microsoft Gold partner that has beta tested SP 1 for months.

"The number one thing IT Pros ask us for is an easier way to lock down their Windows servers. Today, you run a lockdown tool that does such a great job, that after it is run, a lot of critical business functions on a server stop working," said Morimoto, noting that 30 percent of his customers are running Windows Server 2003, 50 percent run Windows 2000 and 20 percent run Windows NT. "With SP1 and the various roles in the security configuration wizard, you can choose to lockdown a server that'll be an Exchange Front end Server, or lock it down as a File/Print server, or lock it down as a Domain Controller," Morimoto added.

"You specify the role of the server, and it'll lock down everything except for the key ports, functions, and applets critical to make the role of the server operational," he said.

Unlike the Windows XP SP2 security update, which was released in August, the Windows Server 2003 SP1 does not have the Windows Firewall turned on by default. The intent is to mitigate potential application incompatibility problems that plagued the initial debut of Windows XP SP2 client security update and acknowledge the reality that many enterprise customers currently have their own third-party server-based firewalls implemented, Microsoft said.

Still, Microsoft said the Windows Firewall will be enabled in new installations to ensure that the computer is protected from network attacks while being set up and configured.

To limit compatibility problems, Microsoft tested more than 125 commonly used server applications against SP1 and ran into only a few issues that have been fixed, DiStasio said. The list of compatibility issue and fixes will be posted on the software giant's Web site, he added.

Microsoft also implemented a feature called post setup security updates to protect the server from risk of infection between the time of its installation and the download of its first security updates from the Windows site.

This is the second release of the Windows Server 2003 that complies with Microsoft's Trustworthy Computing Initiative and SP1 integrates a variety of other security features, some of which have existed previously in various incarnations. The server, for example, implements a client VPN quarantine tool that was previous offered in a separate toolset. The release of Windows Server 2003 SP1 comes just two weeks before Microsoft is expected to remove a blocking tool for its update site that prevents Windows XP SP2 from being automatically downloaded to corporate sites. The tool was implemented late last year in order to give administrators additional time to download fixes to address incompatibilities and ensure a more smooth deployment of the Windows XP SP2. SP1 is avalable for download immediately. The media will be avalable in two to four weeks from Microsoft and the code will be slipstreamed into the Windows Server 2003 core code within six weeks, DiStasio said, adding that he thought most customers would likely download the update from Microsoft's site.

Some expect the release of SP1, like any first update to a major release, will accelerate customer adoption to the Windows Server 2003 server from earlier versions of the Windows Server, NT and Windows 2000. But not all expect it will be flying off the Web, or shelves immediately.

"For SP1, service packs are not something that IT people usually get excited about. It means having to look at the prospect of upgrading and Compatibility testing servers and systems," said Paul Freeman, president of Coast Solutions Group, a technology services distributor and aggregator in Irvine, Calif. "It may be that SP1 will provide valuable upgrades, but I don't see people planning to rush out and upgrade their servers as soon as it's available."

For added security, SP1 takes advantage of the No Execute features incorporates in recently released processors from AMD and Intel that provide additional data protection by reducing memory buffer overruns that hackers exploit.

The update also offers enhanced security for Internet Explorer and Outlook Express, including an IE Information Bar and Pop Up Blocker. Additionally, SP1 has a WebDav redirector so that users can now log onto Webdav servers for remote file access without worrying about releasing their password, Microsoft said.