When it was released in April 2003, Windows Server 2003 (see my review) was the most secure server operating system Microsoft had ever developed, thanks to a massive security code review that had halted development mid-stream for three months. Since that time, Windows Server 2003 has proven its mettle in the real world, and lived up to its security billing.
But since the release of Windows Server 2003, Microsoft has developed a number of security technologies originally planned for Longhorn, codenamed Springboard, which further harden the Windows operating system, making it more resilient against entire classes of electronic attack. The first generation Springboard technologies were moved into Windows XP Service Pack 2 (SP2, see my review) after a spate of malicious hacker attacks in 2003, delaying the release of that product until August 2004 (it had originally been scheduled to ship in late 2003). The long development time of XP SP2 also ended up delaying the release of many other projects at the software giant, including the x64 versions of Windows XP and Windows Server 2003, and Windows Server 2003 Service Pack 1 (SP1).
Like XP SP2, Windows Server 2003 SP1 has changed dramatically since its inception, though it was always going to be more than a normal service pack. That is, Windows Server 2003 SP1 had been conceived originally as a stepping point of sorts to future Windows Server versions, including R2 ("Release 2," due in late 2005) and "Longhorn" Server (2007). As such, it was to have included new features like the Security Configuration Wizard (SCW) and some of the so-called Feature Packs that Microsoft had been releasing since the initial version of Windows Server 2003. However, with the addition of the Springboard security technologies--including Windows Firewall and other features from XP SP2--Windows Server 2003 SP1 is now poised to take the "most secure" mantle from Windows Server 2003 and XP SP2. It is combines the features from a standard service pack, aggregating previously-released bug and security fixes--with a slew of new features that one might normally associated only with major Windows Server updates.
In this preview, I'll focus on the new features you can expect to see in Windows Server 2003 Service Pack 1 (SP1). This preview is based on numerous discussions with various Microsoft representatives and months of experience with pre-release versions of the product, including the Release Candidate 1 (RC1) and Release Candidate 2 (RC2) versions of the product. In the future, I'll be providing more analysis of these features in a full review of Windows Server 2003 SP1 and the Windows Server 2003 x64 Editions, which are essentially x64-based versions of Windows Server 2003 with SP1.
What's new? Well, nothing, sort of
To understand some of the interesting decisions Microsoft made with Windows Server 2003 SP1, you must first understand how the company views the Windows Server product timeline. Every four years, Microsoft plans to ship a major new version of Windows Server. These major new versions could include low-level kernel changes, so Microsoft will not ensure compatibility with previous versions, though of course this type of compatibility is always a key concern. The first of these major versions was Windows Server 2003, and the next will be Longhorn Server, due in 2007.
In between each major release--or, put another way, two years after each major release--Microsoft will ship an interim Windows Server release. These releases will share the kernel with the previous major Windows Server release, ensuring compatibility, so it will be straightforward to roll out these product versions in environments based on the previous Windows Server version. They will also include many of the Feature Packs, or "out of band" updates that Microsoft had previously shipped for the previous Windows Server version. The first of these interim releases is codenamed R2 (for "Release 2"), and its due in late 2005.
Between each of these releases, Microsoft will continue to ship Feature Packs and service packs. Service packs, for the most part, will continue to play their classic role of aggregating previously-released bug and security fixes. Windows Server 2003 SP1, as previously noted, does however include a number of new features, including some that were originally scheduled for Longhorn but were released sooner as part of the Springboard initiative. To make the transition from Windows Server 2003 to Windows Server 2003 with SP1 less intrusive, however, Microsoft has decided to hide or disable many of these new features, especially on upgrades. For this reason, the "out of box" experience--especially on upgrades--will result in a system that is not demonstrably different from the previous version.
However, the new features are there. You just need to know where to look for them. If you look through the Administrative Tools folder on a newly upgraded Windows Server 2003 SP1 machine, you'll see no new management consoles. Instead, you need to look at the Windows Components Wizard (Figure)--initiated by selecting Add/Remove Windows Components from within Add or Remove Programs in Control Panel--to find a first obvious new feature, the Security Configuration Wizard (which is discussed below). That's right, folks: It's not installed by default. You need to manually add it yourself.
"Though I was one of the people that made the decision to not install the [SCW] by default, I've sort of looked back on it now and wished we'd done it differently," Iain McDonald, a Microsoft director of Windows Server program management, told me during a recent meeting.
Most of the new features in Windows Server 2003 are quite stealthy. This isn't a release that's designed to rock the boat. In the next several sections, I'll highlight some of the new features that I think are important.
Security Configuration Wizard
Long heralded as the major new feature change in Windows Server 2003 SP1, the Security Configuration Wizard (SCW) has been in the planning stages for years. With the release candidate builds of Windows Server 2003 SP1, however, the SCW arrives as a functional entity for the first time (Figure). And it appears that SCW was worth the wait. Essentially a wizard-based tool for configuring the security features and policies of your servers, the SCW uses the roles-based administration features first introduced in Windows Server 2003 to good effect. The SCW lets determine what kind of server you want to have--say a file, print and Web server--and then shut down unnecessary services, block unneeded ports and restrict open ports where possible, secure protocols like SMB (secure message block) and LDAP, and perform other similar tasks (Figure).
In Microsoft parlance, the SCW "reduces the attack surface" of a Windows Server 2003 SP1-based server by letting you easily make such machines as secure as possible given their required role(s) in your infrastructure. It is also extensible, meaning that Microsoft and third parties can create secure roles that take into account other server products. And you can easily export server settings as XML scripts and then apply them to other servers where appropriate, a nice feature for server farms or other redundant set-ups. Additionally, you can roll-back to previously-applied policy settings, or use Group Policy to roll out SCW-created policies.
The SCW is a complicated and powerful tool, worthy of further discussion. I'll have more to say about this feature in my eventual review of Windows Server 2003 SP1 and in a separate Technology Showcase dedicated to SCW.
Remote Access Quarantine
One of the fundamental problems with allowing users to remotely access a server through a VPN connection is that there is no easy way, currently, to ensure that those connecting systems are up-to-date with the latest security fixes, especially if your organization has a strictly mandated security policy. Remote access is convenient and even desirable, but most organizations have no way to determine the cleanliness, if you will, of the connecting systems.
Microsoft has a long-term goal for fixing this problem, and it's being implemented in steps across many Windows Server releases, including Windows Server 2003, Windows Server 2003 SP1, R2, and Longhorn Server. Sadly, we're still at the nascent stages of this implementation, so the technologies available today are not particularly viable. In the future, Microsoft will add true network quarantine capabilities directly to Windows Server. The idea is that non-conforming remote access machines are pushed off to a segregated portion of the network, given the updates they need to meet your security policy, and then finally allowed in. Originally scheduled for R2, that feature won't be fully implemented until Longhorn Server now because of a technology cross-licensing agreement between Microsoft and Cisco.
So what do we have today? With Windows Server 2003, Microsoft provided users with a tool called Quarantine Policy Check in the Windows Server 2003 Resource Kit (RK). The tool lets you scan remote users as they connect and then initiate a post-authentication network policy script that verifies that the connecting system meets your security policies. If it does not, the remote user is denied network access. Typically, you might redirect the user to a Web page that describes the policy and how they can update their system. It's better than nothing.
In SP1, Microsoft is basically providing the capabilities of Quarantine Policy Check in the base OS, so it's not a huge improvement over the previous situation. Dubbed Remote Access Quarantine, this feature helps administrators quarantine remote access clients that don't meet the minimum security settings they've created. However, like the previous RK-based solution, Remote Access Quarantine is not yet an easily-implemented or full-featured solution.
Post-Setup Security Updates
To protect servers from electronic attacks during clean installs, Microsoft enables the new Windows Firewall (see below) during Setup and first boot. (Note that this functionality is only available on a Windows Server 2003 clean installation that has been slipstreamed with Service Pack 1.) When the administrator logs on at first boot after Setup completes, Windows Server 2003 SP1 launches a new feature called Post-Setup Security Updates (Figure), which blocks incoming network traffic until you download pending updates from Windows Update or cancel out the window. After you've dismissed this window--hopefully by successfully downloading any remaining updates--you cannot re-trigger it, and it's not available from the Start Menu or, typically, from within Windows Server 2003 SP1.
Post-Setup Security Updates does not appear on an upgrade install to Windows Server 2003 SP1 from either Windows Server 2003 or Windows 2000 (though it will appear if you upgrade Windows NT 4.0 to Windows Server 2003 SP1, Microsoft says).
Windows Media Player 10
Windows Server 2003 SP1 includes Windows Media Player 10 (WMP 10, see my review), which is the most recent version of WMP at this time (the initial release of Windows Server 2003 shipped with Windows Media Player 9 Series). Compared to previous versions of WMP, WMP 10 is more secure and has been updated to work with the many other security enhancements in Windows Server 2003.
Changes that first appeared in Windows XP Service Pack 2 (SP2)
Many of the new features in Windows Server 2003 SP1 are new to Windows Server, but first made their debut in Windows XP SP2, which shipped in August 2004. Many of these technologies are part of the Springboard project, and many of them are configured differently in Windows Server 2003 SP1 than they are in XP SP2, because of the different needs of a server environment. For example, the Windows Firewall is enabled in XP SP2, because a client machine should typically block all network traffic except that which it trusts and needs. A server, meanwhile, is designed to accept network traffic, so the Windows Firewall is typically disabled in Windows Server 2003 SP1.
Here are some of the new Windows Server 2003 SP1 features that first debuted in XP SP2.
Add or Remove Programs
As with XP SP2, the Add or Remove Programs applet in Windows Server 2003 SP1 now includes a "Show updates" filter that lets you show or hide updates to the operating system in the list of installed programs (Figure). By default, all updates are hidden, but by checking the box titled "Show updates" at the top of the window, you can display all OS updates as well (Windows Server 2003 SP1 is displayed when Show updates is off, however). Note that including all updates in the Add or Remove Programs list makes for long and slow-loading list. Also, third party application developers can take advantage of this feature to optionally hide updates, though I've yet to see a third party update that does so.
I evaluated the Add or Remove Programs list on a stock Windows Server 2003 machine earlier this month. It included 37 "currently installed applications," though all of them were hot-fixes and other similar updates. After upgrading to SP1, that same machine shows just one currently install program--Windows Server 2003 Service Pack 1--though you can check the "Show updates" check-box to show all of the individual updates if you'd like. Doing so, however, doesn't display the full list of 37 additional items, because many of those fixes were rolled into SP1.
Data Execution Prevention (DEP)
In Windows Server 2003 SP1, Microsoft added support for Data Execution Prevention (DEP), which can work in two different ways. The more powerful version of DEP interacts with the No eXecute (NX) feature found in AMD Athlon 64 and Opteron microprocessors, or the eXecute Disable (XD) feature Intel uses in its EM64T-compatible Pentium 4 6XXX and Xeon chips. However, on other microprocessors (i.e. most existing 32-bit processors) DEP works in software-only mode and is therefore less powerful.
In either case, DEP attempts to prevent code from executing in system memory that is reserved for data. This functionality helps alleviate memory-based attacks, such as buffer overflows, which are a common tactic of today's malware. However, the software-based DEP feature will only protect a limited range of system binaries, according to Microsoft. That means that many existing servers (and PCs, in the case of XP SP2) will be less well protected.
So what happens when you are running a system with DEP enabled? If an application--good or otherwise--illegally stomps on memory that is reserved for data, the operating system will raise an exception and terminate the application. Because this type of activity is likely to cause problems with application compatibility, however, DEP is actually disabled for non-operating system processes (i.e. all third party applications) by default on my Windows Server 2003 SP1 systems. However, you can enable it for maximum protection (and minimum compatibility) by accessing a new tab on the Performance Options dialog, which is available from System Properties (Figure). Here, you can also configure an exceptions list for applications you trust.
In a semi-related bit of functionality, x64-based systems receive a bit of extra protection from a new technology that prevents non-official Microsoft hot fixes from patching the OS kernel. For example, kernel-mode drivers, which often use undocumented programming features, are programmatically prevented on x64-based Windows Server 2003 SP1 systems. Developers are only discouraged from doing that sort of thing on x86 systems.
Windows Firewall
Windows Firewall is the new version of the Internet Connection Firewall (ICF) that Microsoft included with the original version of Windows Server 2003. It is a software-based, stateful filtering firewall with a much wider array of configuration interfaces than its predecessor. However, like ICF, Windows Firewall only monitors inbound traffic. And unlike the version of Windows Firewall Microsoft first included in Windows XP SP2, the Windows Firewall in Windows Server 2003 is generally not enabled, although it is turned on by default during clean installs and boot-up to protect otherwise vulnerable servers against electronic attacks.
"Putting Windows Firewall on by default for clean installs ... it's kind a nuanced story," McDonald told me. "Windows Firewall is not on all the time because the worst thing that we could possibly do is kill all of the traffic to a domain controller or whatever on an upgrade to SP1. It's kind of a blunt instrument to just turn the firewall on. We don't know what third party applications are on there. We don't know what methods they use for remote administration. It could be Terminal Services, it could be WMI, or it could be something else. Going and doing that would've been the wrong thing to do."
Internet Explorer features
Though Windows Server 2003 shipped with a more-secure-by-default version of IE 6 called IE Enhanced Security Configuration (code-named "IE Hard"), Microsoft has made many security improvements to IE 6 since that release, primarily in XP SP2. Some of these features are now being added to Windows Server 2003 in SP1.
First, IE gains the Manage Add-ons feature Microsoft added to IE in XP SP2. This feature lets administrators view all of the add-ons that are installed in IE and then disable the ones they don't trust or need. In pre-IE 6 days, these add-ins were commonly called plug-ins, but they can be any number of items, including Browser Helper Objects (BHOs, the source of much spyware), ActiveX controls, toolbar extensions, and other browser extensions. As with IE in XP SP2, you can view the Manage Add-ons UI by selecting Tools and then Manage Add-ons (Figure). Unlike with IE in XP SP2, it's unlikely that you'll see a lot of add-ons on a Windows Server 2003 system.
IE also gets the pop-up blocker and Information Bar features from IE 6 in XP SP2, though it's likely that the IE Hard content blocking feature (Figure) from the initial release of Windows Server 2003 will kick in before the pop-up blocker is called on. However, if you visit a pop-up launching site that is in an IE zone that allows scripting, or turn off the IE Hard functionality all together, the IE pop-up blocker will display as it does in XP SP2 (Figure).
The Local Machine Zone (LMZ) in IE has been locked down in Windows Server 2003 SP1, as it was previously in XP SP2, in order to prevent downloaded code from running under elevated privileges on the system. Previously, Web content that was loaded locally--that is, loaded from the local file system of the server--was treated as safe, and allowed to run scripts, ActiveX controls, and other potentially unsafe code. Unlike some other IE features, this change could have enormous ramifications for Windows Server 2003 users. However, third party applications that host Web content locally, even if they're using the IE rendering engine, are not affected. Developers can adopt the LMZ lock-down settings optionally, which might be a good idea.
As with the version of IE in XP SP2, IE in Windows Server 2003 SP1 prevents errant Web coders from creating hidden IE windows, moving IE windows off-screen, or resizing IE windows. Also, pop-up windows can no longer be created with an address bar, title bar, status bar, and toolbar. These techniques have been used by hackers to spoof dialogs and other user interfaces in the past.
The IE (and Outlook Express) file downloading prompt has been made to be more consistent with the safer version in XP SP2. Some of this change is just cosmetic, but it also prevents you from downloading content from blocked publishers, as configured by the Manage Add-ons feature in IE.
Finally, for administrators who are looking to fully control IE deployment through Group Policy, SP1 lets you do so (as it does for XP SP2 machines). For the first time, it's possible to create a centralized security settings policy and then apply it to all of the server systems you manage.
Low-level changes
In an effort to reduce the attack surface of Windows Server-based servers, Microsoft has implemented some key low-level changes from XP SP2 in Windows Server 2003 SP1. Specifically, the company has changed the Remote Procedure Call (RPC) and Distributed COM (DCOM) interfaces to be more secure by default. These and other low-level changes could lead to some application incompatibilities, especially for those companies that have created custom-made in-house solutions.
"There are actually two places where we know applications are going to have compatibility issues," McDonald said. "The first one is DCOM pruning, which is what we did in XP SP2 earlier. And the second one is the most common application compatibility issue, which is where the application is [hard-coded] to work only with a specific version of the OS. We've been trying to educate developers not to do that with every release."
Timing and availability
Microsoft is currently making the Release Candidate 2 (RC2) version of Windows Server 2003 Service Pack 1 available as a free download (343 MB). I've been told by representatives of the company that Microsoft will finalize the code for Windows Server 2003 SP1 in March and make the product widely available shortly thereafter. Slipstreamed versions of Windows Server 2003 with SP1 will replace current Windows Server 2003 products in April 2005.
Conclusions
Windows Server 2003 Service Pack 1 (SP1) is a hugely important security update for Windows Server 2003, and an excellent upgrade for all Windows Server 2003 systems. Despite the massive number of security-oriented changes it includes, SP1 will likely prove to be a non-invasive upgrade for most businesses. However, because many of the security changes can cause application incompatibilities and other problems, businesses should test this release as soon as possible in order to ensure that their upgrades will go smoothly. As Windows Server 2003 SP1 nears release, I'll have more information on which to base this opinion, but at this point in time, based largely on months of pre-release experience, I highly recommended that all Windows Server 2003 users begin evaluating and planning the eventual upgrade to Windows Server 2003 SP1. It looks like a solid, much-needed update.
