Blazing the Win2k3 SP1 Trail
For those of you who haven't gotten around to installing Microsoft's Windows 2003 Service Pack 1 yet, due to time constraints or trepidation at Microsoft's penchant for breaking as much as they fix in their Service Packs, let's spend some time on this latest of Microsoft's OS Service Packs before you dive in.
Windows 2003 SP 1 was released at the beginning of April, 2005 and is the second stage of the Microsoft security initiative, called "Springboard," from which Windows XP Service Pack 2 originated in August, 2004. It not only contains the usual bug fixes and performance tweaks, but also features a strong concentration on security issues, since Microsoft was beat up pretty badly over security issues in 2003. Ok. So it wasn't just in 2003, but that's their story and I'm sticking to it.
First, the Good News
Windows 2003 SP1 contains many of the new features which previously appeared in Windows XP SP2, although these are installed and configured a bit differently for the server platform. For instance, there's the Windows Firewall, which is simply enabled by default in Windows XP SP2. It's enabled during slipstreamed (new) installations of Windows 2003 SP1 too, to prevent network-based attacks during installation. However, only afer nagging you to apply any additional subsequent patches with Post Setup Security Updates (PSSU), it is then disabled on the server unless you re-enable it. This makes sense if you think about it. Locking down a new installation of Windows 2003 until all latest patches are applied probably isn't a bad idea.
A few other items which debuted in Windows XP SP2 that reappear Windows 2003 SP1 are Wireless Provisioning Service (WPS), some COM (define) and DCOM (define) security changes, Internet Explorer changes and DEP (Data Execution Prevention).
Changes to Internet Explorer include local-machine lockdown, pop-up blocking and add-on management, which allows you to control the installation and removal of add-ons in IE. This feature also allows you to see the add-ons that are installed, which were very difficult to see before.
Windows 2003 SP1 also includes software-based DEP (Data Execution Prevention) memory protection technology, which first appeared in Windows XP SP2. This protects your server against the insertion of malicious code into areas of computer memory reserved for non-executable code, thereby reducing exploits of exception-handling mechanisms in Windows. Many of the latest processors also have a hardware-based DEP which prevents execution of code in memory regions designated for data storage. For instance, Dell PowerEdge servers shipped since October 2004 have NX (no-execute) processor capability. Hardware-based DEP keeps track of memory locations designated as 'non-executable'. If a page reserved for non-executable code attempts to execute code, the hardware catches the code and prevents the code from running.
Windows 2003 SP1's software-based DEP is enabled by default, regardless of the hardware-based DEP capabilities of the processor. If your server processor has DEP capabilities, then Microsoft's software-based DEP adds another layer of security checks to prevent malicious exploitation of Windows 2003's exception-handling mechanisms.
This service pack is heavy with security enhancements and tools, but the biggest and most highly publicized one is the Security Configuration Wizard (SCW).
Oddly, once SP1 is installed, an icon for SCW appears on the server's desktop. However, this is misleading because at this point, the Security Configuration Wizard is not yet installed. It has to be installed seperately using Add/Remove Programs. SCW allows the administrator to configure server security policy at a very granular level enabling or disabling services, protocols and features according to the role of the server. This security configuration is stored in XML format, which can be exported and applied to other Windows 2003 servers that perform the same roles, for instance, Exchange servers.
(Click for a larger image)
After Windows 2003 SP1 is installed, you'll be presented with a Post-Setup Security Updates (PSSU) screen which pesters you to update the server with any pending security updates and to configure Automatic Updates. Until this screen is dealt with (or dismissed, since there may be few updates as of this writing), all inbound network traffic to the server is blocked. You must click 'Finish' for inbound traffic to be allowed.
Another less glamorous but still very useful goodie in Windows 2003 SP1 is VPN Quarantine, which allows you to deny VPN access to PCs that connect to your servers, but are not up-to-date with security software you require.
Okay, Now the Bad News (You didn't think we'd get off that easy did you?)
There are some definite application (in)compatibilities and some 'gotchas' in Windows 2003 SP1. Surprisingly, (or not) many of the application incompatibilities or 'gotchas' which surface in Windows 2003 SP1 are products from Microsoft! Fortunately, Microsoft has already devised patches and fixes for most of them.
Microsoft suggests that you wait to install Windows 2003 SP1 on Small Business Server 2003 servers until SBS 2003 SP1 is available. This is because Windows 2003 SP1 affects Remote Access, Fax Services and other critical items on SBS servers. The good news is that if you do install W2K3 SP1 on an SBS 2003 server, you only need to use Control Panel - Add/Remove Software to uninstall the service pack and regain functionality of these services.
Windows 2003 SP1 is known to cause issues with Exchange 2003 servers and some products that use Exchange 2003 as part of their messaging functionality. One of these products is Cisco's UNITY, which uses Exchange 2003 Server for its Unified Messaging deployments. Once Windows 2003 SP1 is installed on the Exchange 2003 server, Exchange 2003 is completely unavailable to UNITY. Cisco recommends uninstalling Windows 2003 SP1 to remedy the problem. UNITY 4.0(5) is not affected by this issue, however, this version of UNITY has not been released yet. More about this here.
If Exchange 2003 is installed in a path other than the default, which is %ProgramFiles%\Exchsrvr, and you use SCW to apply an Exchange Server role policy to your Exchange server, users will not be able to connect to their mailboxes and OWA users may get a 'service unavailable' error until you roll back the policy and manually correct the paths in the Windows Firewall Exceptions tab before re-enabling it. Microsoft has a KB article available for this snafu.
(Click for a larger image)
For ISA 2004, just make sure ISA 2004 SP1 is installed before you install Windows Server 2003 SP1 to prevent the same RPC filter problem. The fix is already included in ISA 2004 Enterprise.
As with Windows XP SP2, it is recommended that you test Windows 2003 SP1 before installing on production servers in your environment. And even before doing that, check out the Windows Server 2003 SP1 Application Compatibility checklist and contact your hardware and software vendors as appropriate for any necessary updates or workarounds.