Windows Server 2003 (WS2003) was the first product released to benefit from Microsoft’s much vaunted Trustworthy Computing initiative, where all code goes through a rigorous screening and audit for potential security issues and other vulnerabilities. WS 2003 thus had a lot riding on it. In comparison to Windows 2000 Server, WS2003 ‘out-of-the-box’ was undoubtedly much more secure. A lot of this was down to the simple fact that all the features - turned on by default in Windows 2000 Server - were turned off in WS2003. If you wanted services, like IIS, you had to explicitly turn them on, hopefully closing the stable door before the horse has had a chance to exit.

At the time, Steve Ballmer predicted “There will also be less security issues going forward”. He was shrewd enough to use the ‘less’ word rather than the ‘no’ word, which was just as well. Microsoft’s initial cocksure confidence was somewhat misplaced: right after the launch of Windows Server 2003, it realised that there was still some more work to do on the security front. Indeed, according to Winbeta.org, work on Service Pack 1 (SP1) had commenced shortly after Windows Server 2003 was released.

Despite Microsoft’s early optimism, it only took a couple of months before the first critical Windows Update was posted for WS2003 in June 2003. According to Microsoft it slipped through the net, requiring the automated code scanning tool it uses to track these bugs to be updated. Since then a total of 58 Security Bulletins have been issued by Microsoft in respect of the OS: 36 were deemed Critical, 18 Important, 3 Moderate and 1 Low. To be fair, ten of these related to the very troubled Internet Explorer. Even so, that list of patches is somewhat less than impressive, given the bullish statements made at its launch. After all, if the Open Source community can make a decent fist of nailing down server OS software, why can’t one of the world’s wealthiest software companies do likewise?

Enter Service Pack 1
Service Pack 1 was in beta for 18 months or so, the longest period of testing undertaken for a Service Pack. Until October 2004, Microsoft had been aiming to deliver the final SP1 release before the end of 2004. However, officials admitted the SP1 and accompanying 64-bit releases would be delayed until some time in the first half of 2005. It was finally released on March 31st. SP1’s main objective, says the company, is to “reduce customer pain centred on server security.”
Customers who have Automatic Updates enabled with automatic download should note that Windows Server 2003 SP1 will be made available through Automatic Updates as a High Priority update in July 2005.

As is the trend with Service Packs these days, SP1 is more than just a mere roll-up of all the security patches released to date. Like Windows XP SP2, it includes a raft of new security features, some of which it shares with its predecessor. It actually bestows a mild performance boost as well, with things like the new Smart TCP port allocation feature and improvements to its SSL service, bringing improved network performance. Uptime is also boosted by the new ability to hot patch system binaries even if they’re currently in use, reducing (if not totally eliminating) the need to reboot.

Perhaps the biggest new feature is the Security Configuration Wizard, though this isn’t installed by default – you’ll need to go through the Add/Remove Windows Components applet in Control Panel to install it. This useful tool is designed to reduce the OS’s ‘attack surface’ and helps you configure services, network security, auditing and registry settings. It does this by generating security policies, which can be used in conjunction with security templates and specific server roles. They can also be applied to any server on your network, allowing for centralised consistency and stability of the security settings on all servers. You can also include existing security templates within the policy.

What’s good about the SCW is that it’s role-based, an approach pinched from Longhorn. Depending on the function of the server (and you have about pre-defined 50 server roles to choose from), the SCW will generate a tailored security policy specifically for that role. The SCW detects what services and ports are necessary to fulfil the needs of server roles and disables unnecessary services and blocks unused ports accordingly. And if you get it wrong, the SCW’s roll-back feature can dig you out of a hole.

Another major SP1 feature is improved WLAN support. A major weakness of Windows 2003 Server was its inability to deal with WPA-capable networks. SP1 addresses these weaknesses and now makes it much easier to deploy a large secure wireless LAN. SP1 adds PEAP authentication capability to its IAS (Internet Authentication Service) RADIUS component. The built-in Windows XP Wireless Zero Configuration client can now be centrally managed via Windows 2003 Server using Active Directory Group Policy configuration, making it very easy to centrally manage a secure WLAN. The result of all of this should be to make Wi-Fi client management a good deal easier.

On top of this, there are a clutch of lesser but nonetheless valuable new security features. First seen in Windows XP’s SP2, the improved Windows Firewall debuts on WS2003. It’s basic in that it rejects all unsolicited inbound network traffic but it can now be controlled via a Group Policy. It’s not that fabulous though as it doesn’t let you set any rules on outgoing traffic. Also, it isn’t enabled by default, only during clean installations of SP1.

The original release of WS2003 allowed sysadmins to ‘quarantine’ insecure workstations and prevent them joining the network fully. With SP1 this has been extended to remote access clients as well.
One glaring weakness has been eliminated by SP1. Post-Setup Security Updates or PSSU temporarily disables connections to servers while the automatic Windows Update feature downloads patches and security updates for installation. While the PSSU screen is up, SP1 enables the Windows Firewall and blocks all inbound network connections, protecting the server from attacks until update downloads are complete. Note that PSSU is enabled only on new installations, not on upgrades, so you’d need to slipstream SP1 in to your install CD-ROMs first.

Both remote procedure call (RPC) and Distributed Component Object Model (DCOM) services, a popular target for hackers despite their complexity, now feature strengthened authentication routines. The DCOM authentication model has been enhanced to reduce the risk of network attacks against applications that are dependent on these services. And with a nod towards the eventual release of 64-bit versions of the OS, SP1 introduces support for 64-bit CPUS and specifically their DEP ‘no execute’ hardware, which prevents malware from executing where it’s not allowed to.

Windows Server SP1 forms the basis for Windows Server 2003 R2, an interim Windows Server release pencilled in for release at the end of the year.

Any Gotchas?
So far, nothing earth shattering. Although Small Business Server 2003 is heavily-based on WS2003, despite erroneously putting SP1 up on the SBS Windows Update site for the first day, Microsoft doesn’t recommend installing SP1 on SBS 2003 as it can cause a few services and wizards to fail. A separate SBS service pack will become available within 90 days.

Just as Windows XP SP2 caused compatibility problems with some apps, its inevitable that WS 2003 SP1 will do likewise. Thus far the most important app affected is Internet Security and Acceleration Server 2000 and 2004 which should be updated before SP1 is applied. There’s also an obscure issue that might cause Exchange Server to be inaccessible after you run the SCW. However this only occurs if Exchange Server is installed in a non-default location. Other apps so far known to have minor issues with SP1 include BizTalk Server 2004, SQL Server Reporting Services and Virtual Server 2005 but workarounds are available for all of these.

The Verdict
Windows Server 2003 was already pretty secure by Windows standards – Service Pack 1 represents a major upgrade that increases security significantly. Not only that but the additional tools it comes bundled with will help users further increase the levels of security possible with WS 2003. It may have been a long time a’comin’ but the technical review that accompanies SP1 is remarkably, almost painfully, honest about Microsoft’s shortcomings when it came to delivering secure products, which demonstrates Microsoft’s commitment to getting it right in future.

Windows Server 2003
Security Guide


Ten reasons
to install SP1