Microsoft Talks About Windows Server 2003 SP1

In response to every survey I field for my Hey Microsoft! column, readers always ask Microsoft to address security and to provide a roadmap for products. With the release of Windows Server 2003 Service Pack 1 (SP1), the company is tackling both concerns. SP1 is positioned as the Windows Server security release similar to Windows XP SP2. And coinciding with SP1, Microsoft is taking the opportunity to mark out a path of predictable releases every 2 years. I talked with Microsoft's Clyde Rodriguez (group program manager and the project manager responsible for the SP1 and 64-bit Windows releases); Samm DiStasio (director of marketing, Windows Server Division); and Jeff Price (senior director of marketing, Windows Server Division) about SP1, how SP1 fits in with the new roadmap and the impending Windows 2003 Release 2 (R2), SP1 features and fixes, and the role of customer feedback. For a more in-depth discussion with Clyde about delivering SP1, see the Web-exclusive sidebar "The Drive to Deliver SP1: Clyde Rodriguez Explains the Focus on Security, Reliability, and Performance," available to Windows IT Pro subscribers at http://www.windowsitpro.com, InstantDoc ID 45900.

Release Roadmap
Microsoft has always released server fixes, features, and new versions, but the timing and packaging of these various offerings have been erratic. Customers, especially those in the Software Assurance (SA) program, have been pleading for clarity about what to expect and when to expect it.

To answer that plea, Microsoft has announced that it will issue a server OS release every 2 years: first a completely new version (e.g., Windows 2003 or Longhorn), then 2 years later an update that rolls up new features and introduces improved functionality targeted at specific areas. For example, Windows 2003 R2 will include features that have been released as downloads (i.e., out-of-band—OOB—releases), such as Active Directory Application Mode (ADAM). In addition, R2 will focus on enhancements for branch-office scenarios, Active Directory (AD) federation, and storage.

Unlike service packs, which Microsoft will continue to release as necessary to provide fixes, the update releases won't be free. SP1, which is free, will be a prerequisite for R2. Clearly, Microsoft views the update releases as a much-needed way to provide value for its SA customers. I asked Samm DiStasio to explain the new approach.

Samm: I think it's important for customers to see us being very structured about our business so that they know that every 2 years there will be something they should at least consider. Now you can expect a release of the entire OS every 2 years. Previously, we kept throwing downloadable components out there. The R2 version will bring together the latest innovations into one release.

KF: Were you concerned that customers wouldn't know that the downloadable OOB features even existed?

Samm: Yes. We couldn't really tell people enough about each new piece. If features come out in dribble form, you can't do a big marketing campaign for something like ADAM. [The new release structure] allows us to be louder about it, so customers know to pay attention.

So how does SP1 fit in this new picture? I asked Jeff Price for his perspective.

Jeff: SP1 is an update that will augment Windows 2003 and constitutes a shift in the server-security paradigm. With R2, we're focused on providing a better consumption model for the feature packs that otherwise would be released to Web. Our customers told us that they felt we were providing too many separate updates or OOB releases. R2 helps us make the release of new features more predictable in terms of timeframe and simplifies deployment for our customers.

Windows 2003 R2 is the next version of Windows Server and will build on SP1 technology. R2 will deliver on our philosophy of increasing consistency and predictability for customers and will bring forward SP1's security and reliability enhancements. It will also provide new functionality around simplified branch server management, access management across security boundaries, and more efficient storage.

SP1 Features and Fixes
Since the Windows NT days, Microsoft has wrestled with how to position service packs with regard to adding new features. When Paul Thurrott interviewed Microsoft Vice President Dave Thompson at the launch of Windows 2003, Dave explained, "It used to be that [service packs] were flexible, a way that we could deliver features as well as fixes. But customers made it clear that they wanted bug fixes only [in service packs]. That leads to an interesting question, though: What, exactly, is a bug? Is a missing feature a bug? Customers often have different views themselves. But [Windows] NT 4 SP3 was the end [of major new features in services packs]." (For Paul's story, "Windows Server 2003: The Road To Gold; Part Two: Developing Windows," see http://www.winsupersite.com/reviews/winserver2k3_gold2.asp.)

Well, maybe not quite the end. SP1 includes both fixes and some security enhancements that qualify as missing features. Jeff explained, "Service packs are traditionally a group of existing updates for a product. SP1 is more than that. In addition to the latest updates for Windows 2003, SP1 adds new enhancements designed to improve security and reliability."

I asked Clyde, Samm, and Jeff to look at some of the security enhancements that Jeff mentioned. Then we moved on to discussing the fixes in SP1.

Security Configuration Wizard
KF: The SP1 security feature that has received the most attention is the Security Configuration Wizard (SCW). As the project manager and technical driver of SP1 and the Windows 2003 x64 editions, Clyde, can you give a quick overview?

Clyde: Like other wizards that help configure your server properly (e.g., Configure Your System and Manage Your System), SCW provides a guided attack-surface reduction for your server. When you run SCW, it asks you questions to determine the functional requirements of your server according to its role.

Jeff: By shifting security into a role-based paradigm, SP1 lets customers run no more additional services than they need, eliminating potential toeholds for hackers and malicious code. Moreover, role-based security eases the deployment of future updates, reducing the time it takes for IT professionals to prepare for new security holes.

Clyde: To accomplish this, SCW's roles-based metaphor is driven by an extensible XML knowledge base that defines the services, ports, and other functional requirements for more than 50 different server roles, including roles for Windows Server System applications such as Microsoft Exchange Server and Microsoft SQL Server. SCW disables any functionality that the server doesn't require for the roles it's performing.

SCW can perform role discovery, solicit user input, and author security policies that disable services, block ports, modify registry values, and configure audit settings according to the server role. Even ports that are left open can be restricted to specific populations or secured by using IP Security (IPsec).

KF: You've said SCW is extensible. How does that work?

Clyde: Since the format is XML, users can create an XML template for a unique server role at their organization. They can then use this template to secure other computers with the same configuration needs. Exporting the templates is possible, but not necessary, because an administrator can select any computer in the organization to apply the template to—provided you have admin rights to the computer. SCW also lets you roll back previously applied policy settings. It includes a command-line tool with which you use administrative scripts and other administrative utilities to apply a security configuration, and you can do compliance analysis for groups of servers in your organization. SCW also integrates with AD to support deployment of SCW-generated policy settings through Group Policy.

KF: Why did you put this new feature into a service pack instead of waiting for the R2 version?

Clyde: The decision was customer focused. It's great to have a dialog about how customer interaction influenced the design of a feature. We wanted to simplify the process for securing a machine against external attack, based on feedback about Windows 2003 and previous releases. SCW came about through general customer feedback about security improvements. Then we refined it further by deciding not to impose it on every user and striking a balance. We hope the solution we've offered gives all camps access to what they want.

KF: What do you mean when you say you didn't want to impose it on every user?

Clyde: Customers want service packs to focus on improving the OS without dramatically changing the product's functionality. There has been a long debate over bug fixes versus new features. Some customers say they want only fixes. Others look for improvements. Some people on our development teams wanted to give SCW to everyone. Another camp here at Microsoft cited customers who didn't want SCW forced on them. We had to strike a delicate balance between delivering what one set of customers needed and also meeting the requirements of others that don't want the tool. Customer analysis convinced us that making SCW an option as opposed to a default offered the best of all worlds.

KF: So your compromise was to have users install SCW via the Add or Remove Programs applet. Are you worried that some people might not find it?

Clyde: We placed an SCW icon on the desktop so that users immediately see a link to additional information. When they click that icon, it doesn't automatically start installing SCW. It provides a link to information on our Web sites about what the feature is and its benefits. Then if customers want to install SCW, the process points them to Add or Remove Programs, and SCW automatically installs from there.

   Previous  [1]  2  Next