Slashdot Mirror
Microsoft Releases Windows Server 2003 SP1
Masq666 writes "Microsoft has wrapped up development on the first major update to its Windows Server 2003 operating system and released it for download, The company said that Windows Server 2003 Service Pack 1 is currently available for download via Microsoft's site and will soon start showing up on new servers. Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2. News.com.com has more details and commentary."
I've been using the latest RC as a desktop OS for a while, and it's pretty good; it does have some issues with Steam, but then again, it's not meant to be a gaming OS, just a server OS.
All in all, though, it's damn stable and secure as is, and it's pretty responsive.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
So what is "later this year" in Microsoft time?
This?
http://www.winsupersite.com/showcase/longhorn_pre
Longhorn Milestone 9 (M9) and platform complete
March 2005
Longhorn Beta 1
Late May 2005
Longhorn Beta 2
October 2005
Longhorn Release Candidate 0 (RC0)
Late February 2006
Longhorn Release Candidate 1 (RC1)
April 2006
Longhorn release to manufacturing (RTM)
May 24, 2006
Enhancements
In addition to finding and updating security holes before hackers can exploit them, Service Pack 1 includes improvements to functionality that originally shipped with Windows Server 2003. Such enhancements make a great product better and raise the security, reliability, and productivity of Windows Server 2003. Below are brief descriptions of some of the key enhancements included in Service Pack 1:
Stronger defaults and privilege reduction on services--Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves.
Support for "no execute" hardware--Service Pack 1 allows Windows Server 2003 to utilize functionality built in to computing hardware, from companies such as Intel and Advanced Micro Devices, to prevent malicious code from launching attacks from areas of computer memory that should have no code running in it. For both 32-bit and 64-bit systems, this enhancement closes the door on one of the broadest and most exploited avenues of information attack.
Network Access Quarantine Control components included--Windows Server 2003 SP1now includes the Rqs.exe and Rqc.exe components to make deployment ofNetwork Access Quarantine Control easier. For more information, see Network Access Quarantine Control in Windows Server 2003.
IIS 6.0 metabase auditing--The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services (IIS) 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted.
New features
Microsoft is taking the opportunity afforded by the release of Service Pack 1 to introduce powerful new functionality to Windows Server 2003.
Windows Firewall--Also released with Windows XP Service Pack 2, Windows Firewall is the successor of the Internet Connection Firewall. Windows Firewall is a host (software) firewall, a firewall around each client and server computer on a customer's network. Unlike Windows XP Service Pack 2, the Windows Firewall is off by default on Server 2003 Service Pack 1, and must be turned on to begin protecting systems. The Windows Firewall is enabled for a brief time during Service Pack 1 clean installs for the duration of the new Post-Setup Security Updates portion of setup.
Post-Setup Security Updates (PSSU)--Servers are vulnerable in the time between initial installation and having the latest security updates applied. To counter this, Windows Server 2003 with Service Pack 1 uses Windows Firewall to block all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer. After updating, Windows Firewall is turned off until it is configured for server roles. PSSU also guides users through immediate configuration of Automatic Updates.
Security Configuration Wizard (SCW)--SCW is a wizard that configures server security based upon existing server roles. SCW asks questions about server roles and then stops all services not necessary to perform those roles. SCW will not add roles, but will configure the server around the roles it performs. Like boarding-up unused doors, this new feature helps reduce the attack surface of Windows Server 2003.
If you install this on SBS2003, do NOT run the new wizards - wait until SBS2003 SP1 is released in the next month or so.
Windows Server (.NET, 2003 whatever) has had a firewall in it essentially since Windows NT, in the form of the IPSec services, which offer every bit as much functionality as IPTables.
The XP family bundled IPSec into a simple wrapper called Windows firewall, which was expanded upon in SP2 to provide things like warnings etc, and it is this functionality that has been cross-ported to the Server line.
Regards,
-Steve Gray
This is beta software and not part of Windows Update. There's literally NO WAY it could have been automatically downloaded and installed: it must be manually downloaded and then explicitly installed.
Slashbots are morons for a) believing this troll and b) modding it up.
How did it "automagically" deploy on your box when MS isn't putting it on Windows Update until July? It can only be manually downloaded until then.
It is available through Windows Update right now. I don't know if it will work through Automatic Updates, but if you manually activate Windows Update the scan results page will inform you that it is one of the "Critical Updates and Service Packs".
Well it did come with a firewall. As a fact the same firewall is supplied with every version of 2003 and XP:
Windows Basic Firewall
Vanilla 2003 server. Control Panel --> Network Connections--> Local Area Connections --> Properties-->Advanced--> "INTERNET CONNECTION FIREWALL"
Hmm, what do you know, a software firewall built into it.
If you were a 2003 admin, you would know that the default vanilla 2003 server does indeed include a software firewall. Anyone who says it doesn't either has never used it, or is one of those paper MCSE types that has no actual working knowledge of how to admin a windows box, and never discovered the setup for it because it wasn't included in his cram course.
The size is because the entire of the core services set has been recompiled to use the XP-SP2 Data-Execution prevention technology, which allows for NX support in all applications with appropriate hardware, and a further emulated NX feature that covers the core services infrastructure regardless of CPU platform. This doesnt require most applications to be recompiled, because most of the changes have occured behind the Hardware abstraction that all Windows applications are coded for.
Regards,
-Steven Gray
-Technical Director, Pulse Unsigned
Great, now you've discoverd the firewall exists. Whats the problem with multiple IPs? You can easily set the access to specific ports by specific IP. Where's the problem?
No, you're both wrong.
2003 has always had a firewall, ICF. NT, since at least version 4.0 has always had a firewall, but unfortunately, it was wrapped in the "IPSec Policy" functionality at the time.
I would expect a clueless MS basher to actually look before flaming, though.
I'm not a Microsoft cronie or advicate, but I also don't want people to be misinformed. Server 2003 DOES include a built in firewall by default, but at that same time it is turned off by default. Right click on the network connection's local area network icon -> click on properties -> and select the advanced tab.
Who said it's insecure out of the box? I realize this is /. - one big, happy bandwagon - but serious try using it and reading about it. All unnecessary services are shutdown and not even IIS is installed by default (unless you get the web edition of 2003).
mainstream support for 2k pro and server expires on June 30, 2005. They're supposed to release an Update Rollup pretty soon, instead of a full blown (bloat) service pack 5. I'm guessing it'll come out around the end of May, beginning of June.
I was just reading about WinFS being back-ported to XP and 2k3 server. Dunno, but that seems like we won't be herded into upgrades as forcefully as it initially appeared before indigo and avalon were backported.
You can disable it.....
Apply Windows 2000 Default Internet Explorer Security Settings
If Internet Explorer Enhanced Security Configuration is enabled on your server, you may decide to use the default Internet Explorer security settings used by Windows 2000.
To do this, follow these steps:
1. Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
2. Select Internet Explorer Enhanced Security Configuration, click to clear the selection, and then click OK.
3. Click Next, and then click Finish.
4. Restart Internet Explorer to apply the changes.
Bored? Why not join a decent mess
A local firewall will simply allow an administrator more control over who can access a system.
Examples:
You've got service "A" that you only want to allow connections from localhost.
Service "B" you only want connections from your local LAN
Service "C" you only want connections from one particular IP.
Which is what most people do. Which enhances security... how again? It's really a stupid way of "securing" a Windows machine, because it really amounts to nothing more than a nag screen telling you to not click on anything or the boogeyman is going to get you. :-/
Considering that the only reason why you need a web browser on a server is for troubleshooting and patch downloads, then disabling browser plugins, disabling auto-file open/external URL handlers, and removing ActiveX support should do the trick nicely.
Javascript + Nintendo DSi = DSiCade
Microsoft acknowledge January patch for 98/ME is flawed. Surprise!!
A computer makes it possible to do, in half an hour, tasks which were completely unnecessary to do before.
"Every time there's a patch to one piece of the kernel, you have to download the entire kernel package again. "
/pub/linux/kernel/v2.6 directory. It's how I've been updating my 2.6 since I first downloaded it at 2.6.4. cat ../patch-2.6.N | patch -p1 -E && make oldconfig does wonders.
Last time I looked at ftp.kernel.org, there were lots of nice patches in the
Some of the deltas are large (a couple mb), but nothing like the size of a full kernel download.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
First, last I checked none of Microsoft's patches required sending an activation code yet in order to download; so far, they're just asking very nicely (for a corporate behemoth)-- you could still say no and download any of them.
Second, for this service pack Billy Boy doesn't even ask; just go to the URL given in the story, click the button and download. Or, just download directly once someone provides the karma-whoring direct file link for you.
I presume, of course, you're not silly enough to be asking if Win2K3Srv still requires a key to install in the first place....
//Information does not want to be free; it wants to breed.
I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.
This is exactly what they do. The large 300+ MB download is designed for network administrators who want to download the whole thing to apply to multiple machines. If you're just going to be updating a single machine, use Windows Update to get SP1. It uses a smart installer to only download the pieces you need (typically one-third to one-half the size of the full update).