A few weeks ago, Microsoft shipped a public release of Windows Server 2003 Service Pack 1 (SP1) Release Candidate 1 (RC1), a near-final version of the first service pack for Windows 2003. Due in early 2005, Windows 2003 SP1 is, in many ways, a massive security update along the same vein as Windows XP SP2. However, enterprises and other businesses will find Windows 2003 SP1 to be far less disruptive than XP SP2, a situation I'm sure many will cheer. To the administrator, Windows 2003 SP1 is, in fact, quite a minor update.
Where It Fits in the Product Timeline
In mid-2004, Microsoft first announced its Windows Server timeline, in which the company will ship new versions of the product every 2 years. Specifically, after a major release such as Windows 2003, Microsoft will ship a minor one. Then the next release will be a major release, followed by another minor one. So the next minor release in this product line is Windows 2003 Release 2 (R2), which is due in October 2005. But before that release ships, Microsoft will ship Windows 2003 SP1 in the first quarter of 2005.
What It Is, What It Isn't
Windows 2003 SP1 includes all the bug and security fixes you'd expect from a Windows service pack. But like XP SP2, it also includes a collection of low-level security-oriented changes, some of which were derived from similar changes in XP SP2, but implemented differently because of the unique needs of server OSs. (Other XP SP2 security features debuted in the initial release of Windows 2003.)
If you administer Windows Server systems, you'll appreciate Microsoft's focus with this release. Not only is Windows 2003 SP1 dedicated to "reducing the attack surface" of your Windows 2003-based servers, as Microsoft says, it also includes easier ways to configure server security features. Key among these new configuration features is the new Security Configuration Wizard (SCW), which I examine later in this article.
Ultimately, Windows 2003 SP1 will be a minor upgrade for most environments because it's minimally disruptive, can be implemented in existing environments with few worries, and is almost completely compatible with code written for the initial release of Windows 2003 (the few exceptions are custom applications that rely on older behavior in Distributed COM--DCOM--and remote procedure call—RPC technologies). Windows 2003 SP1 is based on the same code base and kernel as Windows 2003 and appears as any other Windows 2003 server on your network.
Feature Alert: SCW
The SCW is the most important new feature in Windows 2003 SP1. But in keeping with the theme of minimal disruptions, the SCW isn't installed by default. Instead, the SCW is available through the Control Panel Add/Remove Windows Components applet. (This is the same way that the unique features in R2 will be installed.)
The SCW helps you create security policies by walking you through a series of steps. Those policies configure the services and security needed by the roles (e.g., file server, Web server, Windows 2000 Server Terminal Services server) your server will assume and shut down any unnecessary ports and services. If you prefer to work from a command-line, please don't make assumptions about what you might perceive as the Fisher Price-like nature of this wizard. The SCW is a powerful and valuable tool, and it will make Windows 2003 a more secure system.
When you run the wizard, you're given the option to create a new security policy, edit or apply an existing security policy, or roll back the most recently applied security policy. You can use the wizard to apply or create policies for any Windows 2003 machines in your network. As you step through the wizard, you can configure server roles (e.g., file server, DFS server, print server); server features (e.g., Automatic Update client, DHCP client, Group Policy administrative client); server options (e.g., the Alerter service, audio, the Remote Assistance Expert), and other features. You also can configure inbound and outbound ports, many of which are described in plain English (e.g., Ports used by System RPC applications); registry settings (including approved inbound and outbound authentication methods); and your audit policy, which determines which events are logged.
Security policies are saved as simple XML files in C:\windows\security\msscw\Policies\by default, which means you can edit them and copy them to other servers. You can also choose whether to apply newly created policies immediately or at a later date.
Other Interesting Changes
In addition to the SCW, SP1 brings other notable and noticeable changes. The newly available Windows Firewall will protect your server from Blaster-type attacks during setup, but will typically be turned off when the server is up and running. However, a new post-setup security updates screen appears on first boot after a clean install, preventing any inbound network connections until you've optionally configured Automatic Updates and updated the server with the most recent security updates. Microsoft also tells me that it's seeing a slight performance boost across the board after installing SP1, which is the first time that's happened with a Windows Server service pack.
I'm out of space, but I have a lot more to say about Windows 2003 SP1. I'll soon be posting a review of the RC1 build to the SuperSite for Windows (http://www.itprotoday.com), but in the meantime, I recommend that you check out the public release of RC1 (see the URL below) and evaluate its new features, especially the SCW. I think you'll be pleasantly surprised.
Windows Server 2003 Service Pack 1 Release Candidate