Print - What You Need to Know About Windows Server 2003 SP1

Sometime in the first half of 2005, Microsoft will ship Windows Server 2003 Service Pack 1 (SP1), a major feature and security update for its flagship server OS that is, in many ways, as important to Windows 2003 as Windows XP SP2 is to XP. Like other service packs, Windows 2003 SP1 will bring a host of security and bug fixes. It will also provide an unexpected performance bump, new features, and a wide range of security enhancements. Here's what you need to know about Windows 2003 SP1.

New Security Features
Windows 2003 SP1 includes the new Security Configuration Wizard (SCW), a graphical tool that walks you through the server configuration process. The tool uses Windows 2003's roles-based infrastructure to examine the ports and services that must be enabled for a server to fulfill its intended roles. The SCW turns off unneeded services and closes unneeded ports. Because the wizard uses XML-based security templates, you can easily create new templates related to specific needs or export templates to replicate a particular setup across a wide range of machines.

When you first reboot a Windows 2003 SP1 installation on a server that has a live network connection, you'll see a Post-Setup Security Updates screen that prompts you to update the server with any pending critical security updates and to configure Automatic Updates. Until you click Finish on this page, the machine ignores all inbound network traffic. Although you don't need to configure critical security updates or Automatic Updates, you do need to address this screen for the server to become fully functional.

As a major security update for what was already Microsoft's most secure Windows Server version ever, Windows 2003 SP1 also adds all the relevant security fixes that Microsoft first added to XP SP2. However, some of these features, such as Windows Firewall, the Data Execution Prevention (DEP) environment, and boot-time protection, behave differently in Windows 2003 SP1. For example, Windows Firewall is enabled by default only during clean installations (i.e., not upgrades) of Windows 2003 SP1 to protect the system from network-based attacks during the installation. After installation, Windows Firewall is disabled until you enable it.

Windows 2003 SP1 also adds the DEP memory-protection technology, as well as changes to low-level technologies such as Distributed COM (DCOM) and user-level applications such as Microsoft Internet Explorer (IE). IE gets the Local Machine zone lockdown, Information Bar, pop-up blocking, add-on management, and low-level architectural changes that the XP SP2 version of IE first received.

Performance Improvements
Although improving performance wasn't a key goal of Windows 2003 SP1, Microsoft was pleasantly surprised to discover that new code optimizations have generally improved performance. So virtually every Windows 2003 SP1 installation should realize at least a small performance improvement. However, SP1 doesn't include a new version of the kernel or other core Windows Server code. Instead, Microsoft built SP1 on the same kernel as the original software release and says that enterprises won't need to extensively test application compatibility when they upgrade to SP1.

New Wireless Tools
Windows 2003 SP1 ships with a new Wireless Provisioning Services (WPS) technology that lets wireless ISPs (i.e., those companies that operate wireless hotspots at locations such as coffee shops, airports, and the public areas of corporations) use a secure, standards-based wireless provisioning platform. WPS lets clients connect seamlessly to a wireless network and roam from network to network without having to reconfigure settings. Although WPS is a new feature of Windows 2003 SP1, it builds on earlier Windows 2003 technologies such as Protected Extensible Authentication Protocol (PEAP) and Wi-Fi, the 802.11b wireless standard.

Protected Access
Windows 2003 SPI also includes a new Wireless Network Setup Wizard that helps administrators configure secure wireless networks. Like its XP SP2–based counterpart, the Wireless Network Setup Wizard in Windows 2003 can copy configuration settings to USB flash drives or other removable media, then use the information to configure other servers. (Malicious users can also use this data to compromise your wireless network, if you're not careful.)

Recommendations
Like XP SP2, Windows 2003 SP1 is a major upgrade that almost constitutes a new product version. For this reason, I recommend that you evaluate Windows 2003 SP1 as soon as possible, with an eye toward rolling it out to your Windows 2003 machines as quickly as feasible. Although no security upgrade will be perfect, Windows 2003 SP1 establishes a new security baseline and helps you, via the SCW, to securely configure servers for specific roles. It's an important upgrade that you shouldn't ignore.

What will be the cost of this? Do you have information available on the pricing yet? Thank you.

More importantly, Is it going to be possible to install this as a scheduled update outside the SUS/WUS environment and respond to this screen by setting the registry like you can do with AutoUpdate service??

This feature is only enabled on "fresh" installations like on Installation CDs with SP1 sleapstreamed, not on upgrades. On fresh installations you can set a unattended configuration to disable the "first boot firewall protection". Regarding the installation options, you could deploy it as XP SP2, over SUS/WUS, manually or over any Software Distribution Solution (like SMS). Cheers, Berni

Does it now support shared fax client for the Mac or does Entourage link up to it to send faxes via a Mac through MS 2003 SBS.

"Until you click Finish on this page, the machine ignores all inbound network traffic. Although you don't need to configure critical security updates or Automatic Updates, you do need to address this screen for the server to become fully functional." Does this mean you can't install SP1 remotely (via Remote Desktop)? Is the server going to hang there waiting for a keypress or mouse click on the console? >>No - this just refers to the Automatic Updates Wizard. I installed SP1 (RC) via an RDP connection with no issues. The Memory protection feature looks like it might be a pain, though. For example, the Altiris Client burps up that it can't map physical memory.

does this mean that you have to have a valid internect connection before installing a new server with win2003 sp1 from cd

What about activation? Will installing SP1 require new activations or entry of license codes, can cause issues on a large cluster of servers

We have started a discussion thread about Windows Server 2003 SP1 and the Altiris Client at http://www.altirisadmin.com/. You can go directly to the thread by visiting: http://www.altirisadmin.com/vbulletin/showthread.php?t=404

Question, I just installed SP1 for both of our Wins 2003 server and the firewall is not turned on. I use remote desktop to manage it remotely since it's in Florida. The reason that I am afraid to turn it on because it might not allow me to connect or any other "PRE-INSTALLED" running software to be run properly. My question is, can I turn it on remotely through my desktop without any problems? Is it like the same graphical interface like SP2? Thank you in advance!

Nevermind...called Microsoft and they helped me with everything. One thing though, before turning it on, make sure to have "remote desktop" checked otherwise you will get disconnected. Thank you.

I cant se any impruvements at all themes utilities and other programs stopped working I wish I could roll it back, I dont know how to do it before installation of sp1 they said that a backup of the old configuration is stored sp1 looks more and more like a trojan horse

If you start having DTC or DCOM issues check you MSTDC default setup: It changed and is not the default anymore.. Have seen this twice... Administration/Components/local/right click ...

I beleive this is for a FIRST-BOOT machine. " When you first reboot a Windows 2003 SP1 installation on a server that has a live network connection, you'll see a Post-Setup Security Updates screen that prompts you to update the server with any pending critical security updates and to configure Automatic Updates. *********** Until you click Finish on this page, the machine ignores all inbound network traffic."

I installed SP1 today on Windows Server 2003 Standard Edition and did not experience any problems. I am running Symantec AntiVirus 9.0 and Aladdin NetHASP for Architectural Desktop 2004. Both programs migrated perfectly along with all network configurations for approximately 25 domain computers and 6 printers. Bill, thank you!

Only two crashes since 2003 sp1 install! Can't wait for the next eight hours! Security wizzard tells me I need Office 97! I've only got '95 and 2002, so guess I'm cooked. But at least combing the event log found a new DNS error.

Sadly, we are a multi-billion dollar corp and still use Office 97 :-( Did anyone loose their server after SP1? I won't have a backup server. Any pitfalls?

Uninstalling SP1 can be done from add/remove programs, or through the \systemroot\$NtServicePackUninstall$\spuninst\ and then running Spuninst.exe /u, following the instructions. Rolling out SP1 was painless on two out of three servers here, one had to be reinstalled/reconfigured though. I dont think the reason was SP1 itself, the server just had a bad day.

I installed 2003 sp1 and now my apache2 server is running on 100% cpu.. anyone know a fix??

Installed SP1 on DHCP server and installed SUS prior to SP1 too. Did it over Remote Desktop on a VPN - no problems!

We're running two Windows 2003 Web Server Edition servers running an ASP.NET application and one Windows 2003 Server Edition server for our SQL Server 2000sp3a DB. Ever since the SP1 was installed our users are experiencing SQL timeouts and slow performance. Not to mention our DB transaction log grows rapidly in size that we're now having to truncate it every 6 hours where as before it would go a couple weeks before having to truncate. Anybody else experiencing similar problems? I guess we were idiots by upgrading both the web servers and the database server to SP1 because now we're trying to figure out if its one or the other. Any help is greatly appreciated.

I installed SP1 on all our servers. Also the remote installation and reboot via VPN without problem, but Backup Exec 9.0 4454 has failed since then. What´s needed to solve this?,BE 9.0 SP1, 9.1, 10, Or something else?

Installed on HPDL 360 after HP recommended patches for W2k3. Several issues. Server does not respond after patching with SP1. Tested on Machine only with W2k3 and no apps. Still unsuccessful. Will update you on future testing. Careful. Make sure you have good backup or image.

Upgraded my Win2k3 to service pack 1, then removed it, now I am haing problems opening some ports. Is this a known issue?

What is the timeframe for installing SP1 and do you have to take the servers offline. Thanks

I installed SP1 via remote connection to a NAS box with no Video card in it. Now I cannot access the box for administration purposes. I can access the registry remotely and the drives that are shared out but I can't access the remote desktop or port 8098 for my administration screens. Is this because the SP turns on the firewall? Or is it waiting for input on a screen that doesn't exist anywhere? Any help or ideas would be greatly appreciated. My back-ups with Backup Express won't run because it can't access the client software on the C: of the NAS so none of my data is backing up. Starting to get very nervous. Maker of NAS has not been very helpful.

I need to know, what precautions I need to take before installing Win server 2k3 SP1 on machines running MS Exchange Server 2003 and Trend Micro OfficeScan 6.5. please mail the answer to omahmud@banglalinkgsm.com.

Has anyone had any problems with w2k3 sp1 with sharepoint services sp1. I am getting Server Application Unavailable.

We just upgraded with Windows Server Enterprise 2k3 to SP1 and now in our asp pages we cannot even create a connection object to connect to our sql database. In the past they had problems with the MDAC not upgrading and needing it, but I only found these problems when upgrading from 2000 to 2003. Does anyone know if this is also a problem in SP1? We have version 2.8 of MDAC. And it should work. Sounds like ASP and SP1 aren't friends. Anyone have similar problems or suggestions?

2003 SBS, I installed Sp1 yesterday. The server is running very slow and crashed this morning. It finally rebooted after hanging for 30 minutes. It shows a new error in the event log ID 1005 dsrestor. Microsoft has no info on this error. Another bad joke from Bill and his crew. Thanks guys

I am having the same issue as April 20, 2005. On a 2003 Srv std box with sql2000. We are experiencing time outs and slow performance ever since SP1 install. Has anyone found a solution?

After starting any installation, networking connects getting changed. How can I change to earlier settings?