Sometime in the first half of 2005, Microsoft will ship Windows Server 2003 Service Pack 1 (SP1), a major feature and security update for its flagship server OS that is, in many ways, as important to Windows 2003 as Windows XP SP2 is to XP. Like other service packs, Windows 2003 SP1 will bring a host of security and bug fixes. It will also provide an unexpected performance bump, new features, and a wide range of security enhancements. Here's what you need to know about Windows 2003 SP1.
New Security Features
Windows 2003 SP1 includes the new Security Configuration Wizard (SCW), a graphical tool that walks you through the server configuration process. The tool uses Windows 2003's roles-based infrastructure to examine the ports and services that must be enabled for a server to fulfill its intended roles. The SCW turns off unneeded services and closes unneeded ports. Because the wizard uses XML-based security templates, you can easily create new templates related to specific needs or export templates to replicate a particular setup across a wide range of machines.
When you first reboot a Windows 2003 SP1 installation on a server that has a live network connection, you'll see a Post-Setup Security Updates screen that prompts you to update the server with any pending critical security updates and to configure Automatic Updates. Until you click Finish on this page, the machine ignores all inbound network traffic. Although you don't need to configure critical security updates or Automatic Updates, you do need to address this screen for the server to become fully functional.
As a major security update for what was already Microsoft's most secure Windows Server version ever, Windows 2003 SP1 also adds all the relevant security fixes that Microsoft first added to XP SP2. However, some of these features, such as Windows Firewall, the Data Execution Prevention (DEP) environment, and boot-time protection, behave differently in Windows 2003 SP1. For example, Windows Firewall is enabled by default only during clean installations (i.e., not upgrades) of Windows 2003 SP1 to protect the system from network-based attacks during the installation. After installation, Windows Firewall is disabled until you enable it.
Windows 2003 SP1 also adds the DEP memory-protection technology, as well as changes to low-level technologies such as Distributed COM (DCOM) and user-level applications such as Microsoft Internet Explorer (IE). IE gets the Local Machine zone lockdown, Information Bar, pop-up blocking, add-on management, and low-level architectural changes that the XP SP2 version of IE first received.
Although improving performance wasn't a key goal of Windows 2003 SP1, Microsoft was pleasantly surprised to discover that new code optimizations have generally improved performance. So virtually every Windows 2003 SP1 installation should realize at least a small performance improvement. However, SP1 doesn't include a new version of the kernel or other core Windows Server code. Instead, Microsoft built SP1 on the same kernel as the original software release and says that enterprises won't need to extensively test application compatibility when they upgrade to SP1.
New Wireless Tools
Windows 2003 SP1 ships with a new Wireless Provisioning Services (WPS) technology that lets wireless ISPs (i.e., those companies that operate wireless hotspots at locations such as coffee shops, airports, and the public areas of corporations) use a secure, standards-based wireless provisioning platform. WPS lets clients connect seamlessly to a wireless network and roam from network to network without having to reconfigure settings. Although WPS is a new feature of Windows 2003 SP1, it builds on earlier Windows 2003 technologies such as Protected Extensible Authentication Protocol (PEAP) and Wi-Fi, the 802.11b wireless standard.
Windows 2003 SPI also includes a new Wireless Network Setup Wizard that helps administrators configure secure wireless networks. Like its XP SP2–based counterpart, the Wireless Network Setup Wizard in Windows 2003 can copy configuration settings to USB flash drives or other removable media, then use the information to configure other servers. (Malicious users can also use this data to compromise your wireless network, if you're not careful.)
Like XP SP2, Windows 2003 SP1 is a major upgrade that almost constitutes a new product version. For this reason, I recommend that you evaluate Windows 2003 SP1 as soon as possible, with an eye toward rolling it out to your Windows 2003 machines as quickly as feasible. Although no security upgrade will be perfect, Windows 2003 SP1 establishes a new security baseline and helps you, via the SCW, to securely configure servers for specific roles. It's an important upgrade that you shouldn't ignore.