Blazing the Windows 2003 SP1 Trail

Tuesday May 24th 2005 by Deann Corum

Pioneers, the saying goes, are the ones with the arrows in their backs. We took a few arrows on the way to installing Windows Server 2003 SP1, so you could hitch your wagon and head out, too.

For those of you who haven't gotten around to installing Microsoft's Windows 2003 Service Pack 1 yet, due to time constraints or trepidation at Microsoft's penchant for breaking as much as it fixes in is Service Packs, let's spend some time on this latest of Microsoft's OS Service Packs before you dive in.

Windows 2003 SP 1 was released at the beginning of April 2005 and is the second stage of the Microsoft security initiative, called "Springboard," from which Windows XP Service Pack 2 originated in August 2004. It not only contains the usual bug fixes and performance tweaks, but also features a strong concentration on security issues, since Microsoft was beat up pretty badly over security issues in 2003.

The Good News

Windows 2003 SP1 contains many of the new features that previously appeared in Windows XP SP2, although these are installed and configured a bit differently for the server platform. For example, there's the Windows Firewall, which is simply enabled by default in Windows XP SP2. It's enabled during slipstreamed (new) installations of Windows 2003 SP1 too, to prevent network-based attacks during installation. However, only afer nagging you to apply any additional subsequent patches with Post Setup Security Updates (PSSU), it is then disabled on the server unless you re-enable it. This makes sense if you think about it. Locking down a new installation of Windows 2003 until all latest patches are applied probably isn't a bad idea.

A few other items that debuted in Windows XP SP2 and reappear Windows 2003 SP1 are Wireless Provisioning Service (WPS), some COM and DCOM security changes, Internet Explorer changes, and DEP (Data Execution Prevention).

There are some definite application incompatibilities and gotchas in Windows 2003 SP1. Surprisingly, many of the application incompatibilities or gotchas that surface in Windows 2003 SP1 are products from Microsoft. Fortunately, Microsoft has already devised patches and fixes for most of them.

Wireless Provisioning Service helps you in setting up wireless networks. In Windows XP SP2, Wireless Configuration Wizard and WPS automates the process of connecting to and configuring wireless networks, making it easier and more secure for users to connect to corporate or public Wi-Fi hotspots. With WPS on Windows 2003 SP1 and IAS, Wireless Internet Service Providers (WISPs) can provide pay-per-use, monthly subscription, and long-term Internet access to new and existing customers through wireless access points deployed in public areas or on corporate wireless networks.

Changes to Internet Explorer include local-machine lockdown, pop-up blocking and add-on management, which allows you to control the installation and removal of add-ons in IE. This feature also allows you to see the add-ons that are installed, which were very difficult to see before.

Windows 2003 SP1 also includes software-based DEP (Data Execution Prevention) memory protection technology, which first appeared in Windows XP SP2. This protects your server against the insertion of malicious code into areas of computer memory reserved for non-executable code, thereby reducing exploits of exception-handling mechanisms in Windows. Many of the latest processors also have a hardware-based DEP which prevents the execution of code in memory regions designated for data storage. For instance, Dell PowerEdge servers shipped since October 2004 have NX (no-execute) processor capability. Hardware-based DEP keeps track of memory locations designated as 'non-executable.' If a page reserved for non-executable code attempts to execute code, the hardware catches the code and prevents the code from running.

Windows 2003 SP1's software-based DEP is enabled by default, regardless of the hardware-based DEP capabilities of the processor. If your server processor has DEP capabilities, then Microsoft's software-based DEP adds another layer of security checks to prevent malicious exploitation of Windows 2003's exception-handling mechanisms.

This service pack is heavy with security enhancements and tools, but the biggest and most highly publicized one is the Security Configuration Wizard (SCW).

Windows 2003 SP1 Server Roles
(Click for a larger image)

Oddly, once SP1 is installed, an icon for SCW appears on the server's desktop. However, this is misleading because at this point, the Security Configuration Wizard is not yet installed. It must be installed seperately using Add/Remove Programs. SCW allows the administrator to configure server security policy at a very granular level enabling or disabling services, protocols, and features according to the role of the server. This security configuration is stored in XML format, which can be exported and applied to other Windows 2003 servers that perform the same roles, for instance, Exchange servers.

After Windows 2003 SP1 is installed, you'll be presented with a Post-Setup Security Updates (PSSU) screen that pesters you to update the server with any pending security updates and to configure Automatic Updates. Until this screen is dealt with (or dismissed, since there may be few updates as of this writing), all inbound network traffic to the server is blocked. You must click 'Finish' for inbound traffic to be allowed.

Another less glamorous but still very useful goodie in Windows 2003 SP1 is VPN Quarantine, which allows you to deny VPN access to PCs that connect to your servers, but are not up-to-date with security software you require.

>> The Bad

This article was originally published on Enterprise Networking Planet.

The Bad News

There are some definite application incompatibilities and some 'gotchas' in Windows 2003 SP1. Surprisingly, many of the application incompatibilities or 'gotchas' that surface in Windows 2003 SP1 are products from Microsoft! Fortunately, Microsoft has already devised patches and fixes for most of them.

Microsoft suggests waiting to install Windows 2003 SP1 on Small Business Server 2003 servers until SBS 2003 SP1 is available. This is because Windows 2003 SP1 affects Remote Access, Fax Services, and other critical items on SBS servers. The good news is that if you do install Windows 2003 SP1 on an SBS 2003 server, you only need to use the Control Panel - Add/Remove Software to uninstall the service pack and regain functionality of these services.

Windows 2003 SP1 is known to cause issues with Exchange 2003 servers and some products that use Exchange 2003 as part of their messaging functionality. One of these products is Cisco's UNITY, which uses Exchange 2003 Server for its Unified Messaging deployments. Once Windows 2003 SP1 is installed on the Exchange 2003 server, Exchange 2003 is completely unavailable to UNITY. Cisco recommends uninstalling Windows 2003 SP1 to remedy the problem. UNITY 4.0(5) is not affected by this issue, however, this version of UNITY has not been released yet. More about this here.

Windows 2003 Firewall, Exchange Paths
(Click for a larger image)

If Exchange 2003 is installed in a path other than the default, which is %ProgramFiles%\Exchsrvr, and you use SCW to apply an Exchange Server role policy to your Exchange server, users will not be able to connect to their mailboxes and OWA users may get a 'service unavailable' error until you roll back the policy and manually correct the paths in the Windows Firewall Exceptions tab before re-enabling it. Microsoft has a KB article available for this snafu. Internet Security and Acceleration Server 2000 and 2004 should be updated before SP1 is applied. ISA 2000's Server RPC filter will deny RPC access to computers running Windows Server 2003 with Service Pack 1. Microsoft has a patch to fix this compatibility issue.

For ISA 2004, just make sure ISA 2004 SP1 is installed before you install Windows Server 2003 SP1 to prevent the same RPC filter problem. The fix is already included in ISA 2004 Enterprise.

As with Windows XP SP2, testing Windows 2003 SP1 before installing on production servers is recommended. And even before doing that, check out the Windows Server 2003 SP1 Application Compatibility checklist and contact your hardware and software vendors as appropriate for any necessary updates or workarounds.

This article was originally published on Enterprise Networking Planet.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved