On Wednesday evening, Microsoft publicly released the final shipping version of Windows Server 2003 Service Pack 1 (SP1), the long-awaited security update. Windows Server 2003 SP1 is a long time coming--the initial version of Windows Server 2003 shipped almost two years ago--but it includes substantial security updates, some new features, and even performance improvements across the board. For these and other reasons, Microsoft says that all Windows Server 2003 customers should install SP1 as soon as possible.
"With Windows Server 2003 Service Pack 1, our development team took the time to treat the root cause of many security issues, not just the symptoms," says Microsoft senior vice president Bob Muglia, who oversees the Windows Server Division. "This service pack is very significant and should help address certain classes of exploits. Service Pack 1 is a major component of our overall strategy to help keep customers as secure as possible. I encourage all of our Windows Server 2003 customers to deploy Service Pack 1."
Some of the new security technologies in Windows Server 2003 SP1 include:
Security Configuration Wizard (SCW) - A new way to configure not just server roles, but server security based on which roles the machine needs to perform. The SCW can lock down ports, services, and other server features.
Windows Firewall - First released as part of Windows XP Service Pack 2 (SP2), the Windows Firewall is generally off by default in Windows Server 2003 SP1. However, Windows Firewall will be enabled by default on new installs, and during boot-up and setup, in order to protect the system from new classes of attacks.
Post-Setup Security Updates (PSSU) - When Windows Server 2003 with SP1 is installed on a new server, network connectivity to the system is shut off until an administrator configures Automatic Updates (AU) and downloads any critical software updates that might have shipped since SP1 was first released. This feature, dubbed PSSU, also protects machines during a previously insecure time.
Interestingly, SP1 increases overall server performance, which is unusual for a service pack. "The performance improvements are like the frosting on the cake," Sam Distasio, a group product manager for Windows Server told me during a briefing yesterday. Depending on the workload, the performance increase can be somewhat dramatic. Secure Socket Layer (SSL) performance, for example, is up 50 percent with SP1 installed, because support for that technology has been moved into the kernel with HTTP.SYS (which was moved into the kernel in the initial release of Windows Server 2003). Web hosts will also see big improvements, with a 40 to 80 percent startup time reduction, depending on the number of hosted sites. Overall, networking tasks impact the processor 50 percent less than before.
Windows Server 2003 SP1 is available for Windows Server 2003 Web, Standard, Enterprise, and Datacenter Editions. And in the sales channel, Windows Server 2003 will be replaced with a new version that is integrated with SP1. Microsoft told me that an SP1 release for Windows Server 2003 Small Business Edition will ship within 60 days. This product will include all of the changes from SP1, plus the latest service packs for all of that product's bundled servers, including Exchange Server and SQL Server. The fixes for all of those products will be integrated into a single, simple installation package. Also, two other products, Windows Server 2003 x64 Editions, and Windows XP Professional x64 Edition, were finalized along with SP1 and will be made available to customers in late April.
Windows Server 2003 SP1 is free. Customers interested in downloading the update can visit the Microsoft Download Center (URL below) or Windows Update. Microsoft is also providing a wide range of deployment documentation for SP1. For more information about Windows Server 2003 SP1, please see my preview on the SuperSite for Windows.