Microsoft Releases Windows Server 2003 SP1

Masq666 writes "Microsoft has wrapped up development on the first major update to its Windows Server 2003 operating system and released it for download, The company said that Windows Server 2003 Service Pack 1 is currently available for download via Microsoft's site and will soon start showing up on new servers. Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2. News.com.com has more details and commentary."

Free update ?

[mirko]

Does it still require an activation code of some kind or not ?

Re:Free update ?

[Martin+Blank]

If you're asking about the 'genuine Windows software' program, no, it does not. You can just go and download it -- all 337MB of it (and I thought XP SP2 was big).

Re:Free update ?

[mirko]

I meant activation, not download... like for Windows XPSP1 which required the w4r3z dudes not to use some stolen activation code...

Re:Free update ?

[varmittang]

Ok, you are basically throwing up the red flag saying, "I don't have a legitimate install of Windows 2003 Server, so I want to know if I can update my server without getting in trouble". To answer that, I say take your chances, because my company has ligitimate copies, so I don't have to worry about if it will let me update or not.

Re:Free update ?

[mirko]

Not really : I am a Mac user. I was just asking out of curiosity because it would be interesting to know if what-Microsoft-and-the-bsa-call-software-piracy is as serious in the corporate world as they say it is in the family world.

Re:Free update ?

[jla0]

No it doesn't require to validate to download the file but having installed it on a test box I can tell you that it does "check" for a valid key on the box. So they probably did the same thing as XP SP2 and invalidated a bunch of known pirated keys.

Re:Free update ?

[Tuxedo+Jack]

No, it doesn't.

Part of the reason for this is that Server 2003 is intended to be a server OS, and anyone who buys it is generally getting it from an OEM and therefore has a legitimate key.

Not too many people will buy it as a standalone, and those who pirate it will probably do so for development purposes. It's not exactly a perfect desktop OS; that's XP's niche, and that's far more pirated than Server 2003.

Re:Free update ?

[varmittang]

Oh, you will be suprised at what I get asked to do, and this is from business people with more money to spare than I do. "Hey, can you crack this software for me?" "Can't I just load this one copy on all the machines?" So many times I have to stick my neck out and say I can't do that, or that we need to buy more licenses. With that I get an angry face and a huff from them because I didn't want to compromise myself to save them a couple bucks. I became the IT manager of this company months ago and I'm still trying to fingure out if all our installs of MS Office are ligit or not, since the company didn't keep a record of anything, not even the disks that came with the PCs.

Re:Free update ?

[Mr+Ambersand]

Based on my experience with the free trial, in some respects 2003 server is either about the same, or slower than a stripped-down (ie no visual effects) XP.

I can't say for "more secure", but if you want faster - 2000 is faster than either XP or 2003.

From what I can tell 2003's niche is that it will be supported in 3 years (2000 won't, afaik).

Re:Free update ?

[Pxtl]

And will it break your wifi drivers? Had lots of fun figuring out how to deal with that when I installed SP2.

Re:Free update ?

[chrisopherpace]

If you can't find the licenses, they are not legit. The BSA will not care how they were installed if you don't have those little stickers/pieces of paper.

Re:Free update ?

[chrisopherpace]

Windows SBS Server 2003 is indeed faster, and requires less RAM than SBS 2000. With SBS 2000, a server needed about a gig and a half with Exchange running on a tiny (10 users or more) network without bombing. With SBS 2003, 512 MB RAM is more than enough, only swapping out about 256 MB. Don't know the logic behind that one, but you can't complain!

Re:Free update ?

[MyLongNickName]

Want a quick tip? Just say "Sure. But can you send me a quick e-mail stating which PCs you want me to install this on? That'll help me remember".

You won't get an e-mail.

Re:Free update ?

[varmittang]

They would probably send me that email. But if you ment to say, "Sure. But can you send me a quick e-mail stating which PCs you want me to install this on? That'll help me remember. And could you also write in there that if we get investigated and into any legal trouble you will bare full responsiblity and blame for the situation and not me. After that, I will do anything that you write down."

Re:Free update ?

[quantum+bit]

Are you kidding? 2k3 server makes for a far better desktop than XP. All the annoying crap is off by default.

No bubbly playskool theme. No MSN Messenger popups. No product activation. No "take the tour!". No windows media player intruding into everything. IE is crippled by default -- ripe for Firefox installation.

It feels a lot more like if you took 2000 Pro and added the few GOOD things about XP.

Re:Free update ?

[operagost]

If you bought licenses through a volume-licensing agreement, you may be able to at least get your vendor to look up your authorization codes.

Re:Free update ?

[returnoftheyeti]

How did you fix the broken driver issue?

Re:Free update ?

[chrisopherpace]

They want the actual licenses. I had a client audited before, they want the stickers/pieces of paper.

Re:Free update ?

[Pxtl]

Replied to your email, but for anyone else with this problem: I downloaded new drivers for my card fomr the manufacturer's site (not the MS Update ones - those didn't work).

The trick is forcing the new drivers to be installed (had to use the "select a driver to install" option in add new hardware - any autodetection put in the wrong drivers). Anyhow, this worked for my D-Link 520 G wifi board. Probably different solutions for other boards.

Alternately, you can uninstall SP2. This works, but its annoying as SP2 keeps begging to be installed later.

Re:Free update ?

[walt-sjc]

Yep. I've been through an audit too. Previous IT manager was horrible about records. Ended up paying huge $$$ in new licenses to get compliant. The license cards / stickers are the only things that count.

Re:Free update ?

[Procyon101]

There is a primary drawback though. The memory management strategy is different between the desktop and server editions of Windows (actually, tha't probably the only difference outside of packaged applications) so if you are using server for heavy local GUI work you will probably see decreased performance over XP. It would be better to use XP on the desktop and turn off all those things such as Messenger and XP theme.

Re:Free update ?

[quantum+bit]

There is a primary drawback though. The memory management strategy is different between the desktop and server editions of Windows.

The first step to fixing that is in the System Propties (right-click on 'My Computer'). Under the Advanced tab, go to Performance Settings, then the Advanced tab in that. Change both Processor scheduling and Memory usage to "Programs".

There are some other more subtle things as well, but these can be tweaked in the registry if you know where to look. IIRC the default quantum length is longer on Server than Pro (at least it was for 2000). The articles over at Sysinternals can be helpful here, especially the one about the differences between Server and Workstation.

Re:Free update ?

[Procyon101]

Actually, the actually DLL that handles memory management in the kernal is different.. The reg setting is just a hint to the OS, but doesn't retarget the entire memory algorithm.

Re:Free update ?

[DRobson]

Well, seeing everything is disabled by default you're not left feeling particularly surprised a few days later when you get slammed by an IE exploit, etc.

Obviously 2k3 is a lot more difficult for your novice to run, but if you're an enthusiast you're not going to have a hard time enabling features you need, while not having to spend the extra hours disabling all the extraneous crap inherent in windows releases.

Re:Free update ?

[devilspgd]

If you turn off the preschool interface and the visual effects XP appears to be faster here, although that's based on appearance and not any formal testing.

heh

[Enjoi]

£10 says it has a major security vunerability found in it within the first week of release.

Re:heh

[cwebb1977]

Not even the crazy british bookies would accept such a bet. And not even Billy Gates would bet against it, he's too good a businessman for that.

Re:heh

[LurkerXXX]

Right! And that's important because we know that no Linux distro has ever had a security patch released within weeks of a big update....

</sarcasm>

Re:heh

[AKAImBatman]

And not even Billy Gates would bet against it, he's too good a businessman for that.

Pfff! As if! Bill Gates would take your bet, then he'd make sure that copies of SP1 stay out of the hands of the most common bug reporters, that tech support convienently "loses" any reports that do come in, and he'd send CERT on an all expenses paid (and tax deductable!) vacation for doing such a good job.

Then he'd collect his 10 pounds, and make a fortune off of advertising that 2003 is more secure than ever!

Re:heh

[smallguy78]

One of the original 2003 security features was to have IE warn you that you're using it, when it first installed. I wonder what ground breaking enhancements this one has

Re:heh

[AKAImBatman]

I don't know why everyone thinks this is funny. I should be getting a +1 "true 'dat!". Unless, that is, most people around here don't believe me? (In which case you don't know Bill Gates very well...)

Re:heh

[chrisopherpace]

Bah, it warned of a "higher security limitation" (i.e. it was locked down), not that it was installed. Troll.

Re:heh

[AKAImBatman]

I think that's what he meant. It's actually a really stupid lockdown, too. For every bloody damn site in existence: "Internet Explorer has blocked this site because it is currently untrusted." (Add to trusted list button at the bottom.)

Re:heh

[chrisopherpace]

You can disable it.....

Apply Windows 2000 Default Internet Explorer Security Settings
If Internet Explorer Enhanced Security Configuration is enabled on your server, you may decide to use the default Internet Explorer security settings used by Windows 2000.

To do this, follow these steps:
1. Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
2. Select Internet Explorer Enhanced Security Configuration, click to clear the selection, and then click OK.
3. Click Next, and then click Finish.
4. Restart Internet Explorer to apply the changes.

Re:heh

[AKAImBatman]

Which is what most people do. Which enhances security... how again? It's really a stupid way of "securing" a Windows machine, because it really amounts to nothing more than a nag screen telling you to not click on anything or the boogeyman is going to get you. :-/

Considering that the only reason why you need a web browser on a server is for troubleshooting and patch downloads, then disabling browser plugins, disabling auto-file open/external URL handlers, and removing ActiveX support should do the trick nicely.

Re:heh

[chrisopherpace]

Then they whine about how they can't surf from their server (had a client who I had to disable the "Enhanced Security Configuration" because they couldn't do that).....lose/lose situation I'm afraid.

Re:heh

[AKAImBatman]

1. You never hear anyone complain that they can't "surf" from their $50,000 Sun Server.

2. The option to reenable all of these features should be there, just have a nasty looking warning that says "Enabling this feature WILL compromise the security of this server. Are you sure you want to do this?" See if they still want to enable it then. ;-)

Re:heh

[KarmaMB84]

There's administration involved with Windows? I've never seen such a beast. It's not like it's rocket science.

Re:heh

[chrisopherpace]

The server in question was for a small buisness. It was running SBS 2003. I explained this to the client numerous times that this was not a good idea, to no avail. I don't think a big warning message would have deterred them.

Re:heh

[AKAImBatman]

Probably not, but at least they couldn't lay blame on anyone except themselves. Let their server come down a few times, and we'll see if they continue thinking the same way. Or perhaps the administrators really are that good, in which case let them disable it.

My only point is that 2003's current security model is pathetic. Only a few minor changes could make it not pathetic, but Microsoft isn't willing to go there.

Re:heh

[smallguy78]

yes that's what i meant, and it was pointless. It assumed that windows sys admins weren't capable of avoiding sites with spyware etc.

Re: Microsoft Releases Windows Server 2003 SP1

[dolo666]

First new and improved script-kiddie exploits available in 3...2..1...

Fire in the hole!

Servers set to auto crash!

Intriguing.

[Tuxedo+Jack]

I've been using the latest RC as a desktop OS for a while, and it's pretty good; it does have some issues with Steam, but then again, it's not meant to be a gaming OS, just a server OS.

All in all, though, it's damn stable and secure as is, and it's pretty responsive.

Re:Intriguing.

[gowen]

but then again, it's not meant to be a gaming OS, just a server OS.

Really? I thought MS were really pushing the fact that the Windows family of OS was a fully unified and, and that the fact that all modern software works on all the variants was a strong selling point for MS over Linux.

Re:Intriguing.

[AKAImBatman]

They lied. 2003 is a very poor execuse for a Desktop/Gaming machine. Not even Microsoft recommends it as such.

FWIW, Microsoft did manage to consolidate things about the time of XP. The reason why they unconsolidated was to bring many of their security features to the server market so that they wouldn't get trounced on by the competition before Longhorn is released. And to actually say something nice about Microsoft, 2003 *is* more secure. Unfortunately, most of that security is added in a rather stupid way. "You can't run IE because it is insecure. Would you like to make it runnable anyway? (Y/N)" (rolls eyes)

Re:Intriguing.

2003 is a very poor execuse for a Desktop/Gaming machine.

2003 is superior as a gaming machine (or anything else for that matter) than XP. I've played through far cry, hl2, bf1942, lock on, rallisport challenge, cod, splinter cell, GTA:VC, unreal II, and postal 2. See the google for "running 2003 as a desktop" to get your machine properly configured h/w acceleration on etc. Even the newest ATI catalyst drivers recognize 2003 as a valid target. Previous versions had to be manually installed via update drivers... but they still worked fine provided your configurations for a workstation were made.

Re:Intriguing.

[rmallico]

The Windows 2003 Server line is meant for just that.. Servers... XP is the client end.. the idea was for Win2003 Web, Win2003 AS Win2003 Enterprise Edition and Win2003 Datacenter to share code and just have differences in its ability.. similiar to RH AS, ES, WS and Desktop...

Re:Intriguing.

[RonnyJ]

They lied. 2003 is a very poor execuse for a Desktop/Gaming machine. Not even Microsoft recommends it as such.

I'm not quite sure why this was modded insightful - the new desktop OS XP64 is built upon the same codebase as 2K3 SP1, and accordingly, both XP64 and 2K3 SP1 went RTM (final) at the same time.

Re:Intriguing.

[Total_Wimp]

"You can't run IE because it is insecure. Would you like to make it runnable anyway? (Y/N)" (rolls eyes)

And what, exactly, is wrong with this? Do you want it running in insecure mode by default or do you want it set up so that you can't turn on the less secure features if you happen to require them and have other ways to make your environment secure?

MS is keeping things turned off by default, which is exactly what security experts have been recommending for years. They're also making it so you can turn those things back on if you happen to need them. This is good design

TW

Re:Intriguing.

[mixmasta]

Yes, off by default is good design, but the way MS implements it is completely lame. It amounts to stupid warnings and locked out features, practically forcing you to defeat the "security" to get your work done.

"This is locked! Don't mess with this!! You shouldn't be here! Pay no attention to the man behind the curtain!!"

Making an incredibly insecure browser, and then warning you to not run it, is not security. Especially when you need the browser to download some patches, drivers, or whatever.

Contrast that with a more proper implementation of security, i.e. no runnable objects allowed in the browser (by default), good privacy controls, and no "integration" with the core OS, etc.

When this is the case, tedious, stupid warnings are unnecessary and irrelevant.

I am not a Win S2K3 admin, but

[Tibor+the+Hun]

OK, I am not a Windows Server 2003 admin, but is it just me, or is it really odd that Microsoft is just now including a firewall?

Re:I am not a Win S2K3 admin, but

[Tuxedo+Jack]

It does seem kind of odd, seeing as how most people running this will be behind a NAT device on a private LAN (office servers and such). This isn't a desktop OS, and it won't get treated like XP does.

However, it doesn't hurt to turn it on and refuse all traffic until Windows Update has been visited.

Re:I am not a Win S2K3 admin, but

[Zebra_X]

You're right.

I have a couple dedicated servers and my biggest beef with 2003 is that it didn't come with a built in software firewall. Not only that, decent 3rd party wares were/are hard to find and had "more than I needed". There are a couple strategies for protecting your interfaces such as using RRAS to nat all outgoing requests, and forward incoming ones, but for whatever reason is difficult to get working correctly.

All in all a welcome update, but I'd like to know why it wasn't part of the original realease.

Re:I am not a Win S2K3 admin, but

[BanzaiBill]

You've been able to firewall individual connections for a long time. This is just the simplified cross connection firewall. It's main improvements are management. In the past, I've been able to dedicate an external interface to PPTP, etc. and block all other traffic. Same with FTP,etc.

Re:I am not a Win S2K3 admin, but

[8400_RPM]

I dont think so. Anyone putting a windows server on the internet without a hardware firewall deserves what they get.

And internally, certain ports have to be open to work. These will have to open on the new firewall, which means the firewall does dick.

Re:I am not a Win S2K3 admin, but

Windows Server (.NET, 2003 whatever) has had a firewall in it essentially since Windows NT, in the form of the IPSec services, which offer every bit as much functionality as IPTables.

The XP family bundled IPSec into a simple wrapper called Windows firewall, which was expanded upon in SP2 to provide things like warnings etc, and it is this functionality that has been cross-ported to the Server line.

Regards,

-Steve Gray

Re:I am not a Win S2K3 admin, but

[Tibor+the+Hun]

I would almost agree with you about "deserves what they get" but it is too harsh.

There are many a small business (in the States) that could set up their own light use webserver without having to worry about hiring a professional administrator.

I think it is irresponsible of Microsoft not to provide them with basic tools to run a simple Web server for example.

Re:I am not a Win S2K3 admin, but

[Deviate_X]

Well it did come with a firewall. As a fact the same firewall is supplied with every version of 2003 and XP:

Windows Basic Firewall

Re:I am not a Win S2K3 admin, but

I dont think so. Anyone putting a windows server on the internet without a hardware firewall deserves what they get.

I don't think so. Anyone posting inflamatory crap on /. without the proper karma deserves what they get.

Re:I am not a Win S2K3 admin, but

[Zebra_X]

Yes, but it doesn't work very well in an envronment with more than one IP address.

Re:I am not a Win S2K3 admin, but

[LurkerXXX]

So, are you just a linux user who has never touched 2003 server and like to bash MS, or are you an incompetent MS admin that gives the rest of them a bad name?

Vanilla 2003 server. Control Panel --> Network Connections--> Local Area Connections --> Properties-->Advanced--> "INTERNET CONNECTION FIREWALL"

Hmm, what do you know, a software firewall built into it.

Re:I am not a Win S2K3 admin, but

[LurkerXXX]

If you were a 2003 admin, you would know that the default vanilla 2003 server does indeed include a software firewall. Anyone who says it doesn't either has never used it, or is one of those paper MCSE types that has no actual working knowledge of how to admin a windows box, and never discovered the setup for it because it wasn't included in his cram course.

Re:I am not a Win S2K3 admin, but

[m50d]

Is it me or does including a firewall make no sense on a server? If there are vulnerable services running by default, surely turning them off would acomplish the same thing with less effort for MS. If users are turning them on, they can just as easily disable the firewall, and deserve all they get. If there are flaws in the TCP stack itself it can't be too hard to fix them, and they can probably be exploited using the ports that are open because they are running services - that's why it's called server, right?

The only legitimate reason to do this I can see is if they have network services they can't turn off, which require such an incredibly bad design I can't believe even MS would have that. Other than that, is it just the feelgood factor they get from clueless users by saying "firewall"? Or can anyone think of a legit reason?

Re:I am not a Win S2K3 admin, but

[LurkerXXX]

Great, now you've discoverd the firewall exists. Whats the problem with multiple IPs? You can easily set the access to specific ports by specific IP. Where's the problem?

Re:I am not a Win S2K3 admin, but

[hkb]

No, you're both wrong.

2003 has always had a firewall, ICF. NT, since at least version 4.0 has always had a firewall, but unfortunately, it was wrapped in the "IPSec Policy" functionality at the time.

I would expect a clueless MS basher to actually look before flaming, though.

Re:I am not a Win S2K3 admin, but

[sysgeek01]

I'm not a Microsoft cronie or advicate, but I also don't want people to be misinformed. Server 2003 DOES include a built in firewall by default, but at that same time it is turned off by default. Right click on the network connection's local area network icon -> click on properties -> and select the advanced tab.

Re:I am not a Win S2K3 admin, but

[drwtsn32]

Windows 2003 pre-SP1 had a firewall. It was just like the one in Windows XP pre-SP2 (ie, not as robust).

I haven't tried 2003 SP1 yet but I imagine it brings the firewall up to the functionality of the XP SP2 firewall.

Re:I am not a Win S2K3 admin, but

[Zebra_X]

Hmm what do you know, a marginal level of "firewalling".

I should have had been a little more specific. I'm looking for a firewall from MS, at least on their server OS that has at least as much functionality as IP Chains or PF. The NAT RRAS solution doesn't work very well - nor does the built in ICF.

Thank you for playing, please try again.

Re:I am not a Win S2K3 admin, but

[crimoid]

A local firewall will simply allow an administrator more control over who can access a system.

Examples:

You've got service "A" that you only want to allow connections from localhost.

Service "B" you only want connections from your local LAN

Service "C" you only want connections from one particular IP.

Re:I am not a Win S2K3 admin, but

[bitflip]

RRAS...but for whatever reason is difficult to get working correctly

Not "whatever reason". It would be just fine except for one glaring omission in the UI: specifying port/IP ranges. You can't; they must be specified one at a time. It can be scripted, but that's way beyond your typical admin, and wholly inadequate if you need more than a couple of standard ports open.

OTOH, I've used it quite successfully on web servers that needed only a couple of ports open.

Re:I am not a Win S2K3 admin, but

[highcon]

And internally, certain ports have to be open to work. These will have to open on the new firewall, which means the firewall does dick.

Actually, good firewalls allow you to restrict which hosts can access these certain ports. This is the difference between these certain ports being accessible to the world and only trusted hosts getting access to your certain ports. That is quite a difference, and something you couldn't make the crippled Windows Firewall that came with server 2003 do. Because that would have made it actually useful. So, a good firewall does more than dick, even if certain ports have to be open.

Re:I am not a Win S2K3 admin, but

[Afrosheen]

Where's the problem?

PEBCAK.

Seriously though, why cry about a software firewall missing anyway? Anyone worth their weight in penguin poop uses a Cisco or other router to do alot of their dirty work for them. A software firewall is more like a last line of defense. I'd hate to see these guys running a group of servers in an average IT department. "No software firewall? Oh well! I'll just plug it into the t1 on it's public IP and away we go!"

Re:I am not a Win S2K3 admin, but

[Zebra_X]

LOL - have you tried this?

NAT protects at the interface level. Port forwarding is also accomplished at the interface level. The "firewalling" can be done by setting up general port forwards for the interface, and specifying IP filters for address in the NAT pool. This is a "hack" as far as I'm concerned. Primarily because the NAT/Basic Firewall is mislabeled. It's NAT with port forwarding and an option to filter packets. This setup can end up acting like a firewall but it's difficult to setup, use and administer.

ICF protects at the IP Address level, however you cannot specify more than A) IP Address B) Service. So in a multiple IP environment (how many servers, especially web servers do you know that have just one IP address?) ICF is effectively useless.

Re:I am not a Win S2K3 admin, but

[ccdotnet]

Hmm what do you know, a marginal level of "firewalling".

Given most msgs in this thread have mentioned small networks running 2003, they'll be talking about SBS2003. Given even most small businesses need SQL, they'll be talking about SBS2003 Premium.

So they have ISA. Internet Securi......

Re:I am not a Win S2K3 admin, but

[ccdotnet]

And internally, certain ports have to be open to work. These will have to open on the new firewall, which means the firewall does dick.

... repeat after me, m-u-l-t-i-p-l-e network adapters........

You firewall the external one.

Re:I am not a Win S2K3 admin, but

[LurkerXXX]

So first you say the firewall doesn't exist. And then you admit it exists, but it doesn't work well. When asked why, you say it's a 'hack'. You can filter by IP and by port. You can do that per port filtering on as many individual IPs as you care to give the box. That's a how lots of basic firewalls are. Personally I always have OpenBSD boxes up front protecting all my servers, be they MS, Apple or *BSD/nix, and the servers built-in firewall is only a 2nd line of defense.

Ok, it's a fairly simple firewall, and it isn't designed the way you want. That does NOT mean it doesn't exist, as you claim in your first post. That doesn't mean it doesnt' work with multiple IPs as you seem to claim in your second post. It just doesn't do it as easily as you'd like. FYI, there is a difference between existance and meeting your personal ease-of-use requirments.

MS software has PLENTY of faults with it. They do LOTS of stuff wrong. There is no need to make up shit that isn't true. When you claim something doesn't exist that does, your just spreading FUD and casting doubt on other valid criticisms of their software. FUD is bad, no matter which side of the OS wars you sit on.

Re:I am not a Win S2K3 admin, but

[LurkerXXX]

Yeah, maybe you should have said you don't like the included firewall rather than saying it doesn't exist. See, the difference is one is true, and one isn't.

I run a number of OpenBSD machines. I prefer PF myself. That doesn't mean I'm going to claim IP Chains doesn't exist just because I don't like it. Stop spreading FUD.

Re:I am not a Win S2K3 admin, but

[iBod]

>>ncluding a firewall would be an admission that hacking Windows boxen was even remotely possible. You don't want to risk scaring the herd into a stampede by shouting "firewall".

Well, they include a software firewall (enabled by default) with XP don't they?

You have a fondness for the words 'herd' and 'stampede' - are you a cowboy?

And what is this 'boxen' you speak of?

Re:I am not a Win S2K3 admin, but

[ergo98]

A software firewall is more like a last line of defense.

That's exactly what it is, and it serves the role well. If you have 5 servers in a DMZ, all going through a common firewall, you still should limit access between those 5 servers (so if one is exploited it has limited access to the other servers). e.g. The SQL Server machine only allows subnet 1433 TCP connections, and so on.

You don't want something behind the real firewall causing havoc, but it's better to be prepared for that possibility.

Re:I am not a Win S2K3 admin, but

[soulhuntre]

Gotta love it, a post that actually answers a question and provides information labelled "Troll" because it may actually prefent the spread of Anti_MS FUD.

Way to go slashmods!

Re:I am not a Win S2K3 admin, but

[springbox]

The best free firewall that gives you control like this is Sygate's Personal Firewall. It gives you process level control of who and what can access the network on what interface and (optionally) at what time. I use this firewall on one of my computers that's running Windows Server 2003. It would be nice if Microsoft tried to make their built in firewall more flexible like this one is for the server environment.

Re:I am not a Win S2K3 admin, but

[Tibor+the+Hun]

Thanx for your answers lurker, i'm glad someone out there knows how to admin windows boxes.
I run my webserver and ssh fileserver on os X, so it surprised me to se a mention of a firewall in SP1.

Re:I am not a Win S2K3 admin, but

[toadlife]

I think the major difference between Windows firewall and IPSEC is that that Windows Firewall is statefull. IPSEC alone has no statefull ability, but has more granular controls - like outbound traffic control.

If you combine Windows firewall with IPSEC, you can get pretty granular with traffic control. On our internal Win2k servers that have MSSQL Server installed, I've always used IPSEC to control internal traffic.

Re:I am not a Win S2K3 admin, but

[rikkards]

It would seem odd except they have had one (albeit very rudimentary) since Windows NT. You could limit what ports a network card would listen to but it was a really simple interface.

Re:I am not a Win S2K3 admin, but

[CPUGuy]

Is it just me, or has NOBODY on here ever even used the basic firewall built into RRAS, which does more than just the standard Windows firewall, and which was shipped with the original Win2k3.

Re:I am not a Win S2K3 admin, but

[drsmithy]

Is it just me, or has NOBODY on here ever even used the basic firewall built into RRAS, which does more than just the standard Windows firewall, and which was shipped with the original Win2k3.

Dude, this is Slashdot. No-one here has used Windows for anything except reading Slashdot and playing games.

Re:I am not a Win S2K3 admin, but

[klui]

Backpeddling sure is fun. Your original statement was just plain wrong. Why won't you admit it?

Re:I am not a Win S2K3 admin, but

[Ash-Fox]

>I have a couple dedicated servers and my biggest beef with 2003 is that it didn't come with a built in software firewall.

No offense, but I have found Microsoft's Windows 2003 routing and remote access a exceptional firewall.

I have not yet found any real vulnerabilities that could ever get past it. Oh, and it comes with the OS... You were saying?

"beta version of Longhorn Server later this year"

[scupper]

The company also plans to have a beta version of Longhorn Server later this year.

"That's our expectation," Price said.

So what is "later this year" in Microsoft time?

This?
http://www.winsupersite.com/showcase/longhorn_prev iew_2005.asp

Longhorn Milestone 9 (M9) and platform complete
March 2005

Longhorn Beta 1
Late May 2005

Longhorn Beta 2
October 2005

Longhorn Release Candidate 0 (RC0)
Late February 2006

Longhorn Release Candidate 1 (RC1)
April 2006

Longhorn release to manufacturing (RTM)
May 24, 2006

Brilliant idea

[SilentChris]

In all seriousness, I definitely like the new "PSSU" (Post-Setup Security Updates) feature. Awful name, but it does the following when someone first installs Windows 2003:

1.) Blocks all incoming traffic.
2.) Immediately guides the first person who logs on through downloading updates.

This would be such a terrific blessing for new XP users: block traffic and immediately send them off to the update site. Excellent idea.

Re:Brilliant idea

[Koiu+Lpoi]

Is this a required step? Because I know there are times when I need to go straight into the Windows GUI - such as installing drivers to get on the internet in the first place.

Re:Brilliant idea

[drinkypoo]

This would be such a terrific blessing for new XP users: block traffic and immediately send them off to the update site. Excellent idea.

Luckily, this is exactly what happens when a user installs Windows XP SP2 on a system. The firewall is enabled by default and the system starts harassing you about automatic updates.

Re:Brilliant idea

[Steven+Gray+(Pulse+U]

Point number 1 was addressed in Service Pack 1, Point number two was covered in Service Pack 2. These features are not new to the Windows family, but were cross ported to the server series after success in the XP product family.

Re:Brilliant idea

[jayhawk88]

What do you expect from the company who's update server product was named "WUS" (Windows Update Services) up until recently (they changed it to "WSUS", so much better).

But yeah, this is PSSU thing does sound like a pretty good idea. Surely this will make it into Longhorn.

Re:Brilliant idea

[Patrick+Mannion]

At least it wasn't PUSSY!

Re:Brilliant idea

[SilentChris]

Well, not quite. Service Pack 2 for XP blocks all incoming traffic during the boot procedure, but it didn't block all traffic once you reached the opening user configuration dialog. Also, you weren't directed to the Windows Update site -- you were asked if you wanted to have Windows download updates automatically. Between the time the dialog starts and the time Windows decided to download updates, you're vulnerable.

Re:Brilliant idea

[SilentChris]

Not quite. During the boot procedure, all traffic is blocked, but while the opening user dialog is running for the first time, traffic is open. The user is also given a choice if the firewall is enabled or not. They're also given the choice to have Windows download updates or not. They can turn down both choices.

In this new system, all traffic is blocked and the user is shuttled off to the Windows Update site. They can disable settings later if they want. This way, it's secure out of the box.

Re:Brilliant idea

[SilentChris]

The only driver I think most people would need to install is ethernet, and that can come on a CD. I certainly don't know anyone that installs ethernet drivers on fresh boxes using the network (if you can, show me how to perform that magic ;) ).

That said, what it'd probably do is show the new user dialog, go to the site and bail out. I haven't tested what happens when the network card isn't properly installed.

Re:Brilliant idea

[YU+Nicks+NE+Way]

If you turn off the firewall, yes, you're vulnerable. But the firewall is not turned off by default during that interval.

Re:Brilliant idea

[Val314]

the only Question from XPSP2 was if i want to enable Auto-Updates. the Firewall was enabled without asking me (that was XP Pro Corporate Edition)

Re:Brilliant idea

[SilentChris]

Dell sends me boxes all the time that ask if I want the firewall enabled. It's usually the first question I'm asked after agreeing to Dell's EULA.

Re:Brilliant idea

[Pesticide01]

The funny thing is.. Microsoft created this due to coming to the realization that boxes were getting 0wn3d within seconds of being internet accessable.. before the user could even download patches. LOL

Re:Brilliant idea

[RichM]

In all seriousness, I definitely like the new "PSSU" (Post-Setup Security Updates) feature. Awful name, but it does the following when someone first installs Windows 2003:

1.) Blocks all incoming traffic. 2.) Immediately guides the first person who logs on through downloading updates.

This would be such a terrific blessing for new XP users: block traffic and immediately send them off to the update site. Excellent idea.

It's not such a great idea if the only access you have to the machine is by Remote Desktop.

Re:Brilliant idea

[Xerp]

This would be such a terrific blessing for new XP users

A superlative suggestion, sir, with just two minor flaws.

One, my Gran doesn't have a broadband connection, and two, my Gran doesn't have a broadband connection. Now I realise that, technically speaking, that's only one flaw but I thought it was such a big one it was worth mentioning twice.

(Thanks to Red Dwarf)

This would be a moronic and hideous pain in the arse for new users. Expect a network connection and also expect someone not to get totally befuddled! Madness. Such things should stay in the Server realm where at least you can hope that the person is tech-savvy.

Enhancements / New Features

Enhancements

In addition to finding and updating security holes before hackers can exploit them, Service Pack 1 includes improvements to functionality that originally shipped with Windows Server 2003. Such enhancements make a great product better and raise the security, reliability, and productivity of Windows Server 2003. Below are brief descriptions of some of the key enhancements included in Service Pack 1:

Stronger defaults and privilege reduction on services--Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves.

Support for "no execute" hardware--Service Pack 1 allows Windows Server 2003 to utilize functionality built in to computing hardware, from companies such as Intel and Advanced Micro Devices, to prevent malicious code from launching attacks from areas of computer memory that should have no code running in it. For both 32-bit and 64-bit systems, this enhancement closes the door on one of the broadest and most exploited avenues of information attack.

Network Access Quarantine Control components included--Windows Server 2003 SP1now includes the Rqs.exe and Rqc.exe components to make deployment ofNetwork Access Quarantine Control easier. For more information, see Network Access Quarantine Control in Windows Server 2003.

IIS 6.0 metabase auditing--The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services (IIS) 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted.

New features

Microsoft is taking the opportunity afforded by the release of Service Pack 1 to introduce powerful new functionality to Windows Server 2003.

Windows Firewall--Also released with Windows XP Service Pack 2, Windows Firewall is the successor of the Internet Connection Firewall. Windows Firewall is a host (software) firewall, a firewall around each client and server computer on a customer's network. Unlike Windows XP Service Pack 2, the Windows Firewall is off by default on Server 2003 Service Pack 1, and must be turned on to begin protecting systems. The Windows Firewall is enabled for a brief time during Service Pack 1 clean installs for the duration of the new Post-Setup Security Updates portion of setup.

Post-Setup Security Updates (PSSU)--Servers are vulnerable in the time between initial installation and having the latest security updates applied. To counter this, Windows Server 2003 with Service Pack 1 uses Windows Firewall to block all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer. After updating, Windows Firewall is turned off until it is configured for server roles. PSSU also guides users through immediate configuration of Automatic Updates.

Security Configuration Wizard (SCW)--SCW is a wizard that configures server security based upon existing server roles. SCW asks questions about server roles and then stops all services not necessary to perform those roles. SCW will not add roles, but will configure the server around the roles it performs. Like boarding-up unused doors, this new feature helps reduce the attack surface of Windows Server 2003.

Re:Enhancements / New Features

[value_added]

New Features ... Security Configuration Wizard (SCW)--SCW is a wizard that configures server security based upon existing server roles.

Woohoo! More wizards!

Now you too can become a Microsoft Widows Server 2003 Administrator. Who said you can't have both security and easy of use? Err ... or can you?

Security enhancements from XP SP2?

[anynameleft]

Isn't Windows Server 2003 designed to be used on important machines? If yes, what benefit do these patches have? I doubt that many system administrators don't know about firewalls, and those who do probably don't know anything about patches, updates and service packs either.

Re:Security enhancements from XP SP2?

[Steven+Gray+(Pulse+U]

The enhancements allow you server new things beyond a firewall update. Namely:- (1) Boot-time IPSec rules applied. (i.e. no nasty attacks while booting) (2) No-Execute (DEP/NX) functionality for core system services and the kernel. (3) VPN isolation of unpatched machines. (4) Firewall is controllable from Active Directory. (5) IIS configuration metabase auditing. These are things that are fairly vital really, possibly with the exception of 3, since it's not every server that really needs a VPN.

Re: Microsoft Releases Windows Server 2003 SP1

[SilentChris]

True, but they have a few excellent ideas in there. I'm a little "meh" about the "security configuration wizard" (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

The PSSU feature, though (as I mentioned in another post), that blocks incoming traffic on first boot and immediately directs the user to download updates is awesome. Why other companies haven't thought about this, I have no idea. I really hope this gets put into the next consumer version of Windows.

Re:We just got BSOD

[Ucklak]

That $245 is per incident, not per hour.

One more SP to go to make it worth installing...

[Metroid72]

I say wait until SP2.

64 bit XP

[buhatkj]

IMHOP, the more interesting tidbit from this article is the info that XP 64-bit should go on sale next month :-) As the proud owner of 2 athlon 64's, that's actually something I would want to know about....

Re:64 bit XP

[x-caiver]

Windows Server 2003, released in March of 2003, supported Intel Itanium processors which are in fact 64-bit chips.

Re:64 bit XP

[CPUGuy]

NT4 also ran on Alpha's.

Fascinatingly Uninteresting

[OSXexpert]

Ok, I have used Windows for development in 95 and 98 releases and now use OS X very happily. What surprises me is we are in late March of 2005 and Windows 2003 SP***1*** is being released.

Re:Fascinatingly Uninteresting

[Steven+Gray+(Pulse+U]

Why release one if theres no loud demand for it? Seeing as your an Apple user, I'm afraid to break the news to you that not every OS vendor has chance to push out a few mediocre SDK features every half year and name it after some random wild animal. Server is one of the most polished efforts from Microsoft yet, and as a test case of it's new security initiative you'd be hard pressed to find signifigant fault, since practically every bug that's hit the XP range is not a threat to it, and in terms of total security issues it's behind on the Linux kernel itself, let alone any of the distributions. There are some beardy guys who can best even that, but I don't want to talk about theee....arr....ghhhh...heellp... *runs from the Unix geeks*

This SP is the basis for Longhorn?

[StateOfTheUnion]

From the News.com.com link in the topic:

Microsoft is also using the Windows Server 2003 SP1 code base as the starting point for the next desktop version of Windows, code-named Longhorn, which is slated to arrive next year.

Wasn't Longhorn supposed to originally be released this year? If they're going to use this service pack as a code base, they must be a long, long, long way off from a longhorn release . . .

Re: Microsoft Releases Windows Server 2003 SP1

[suso]

(personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

[sarc]
But wizards help to let everyone have a server. Its the logical follow up to having spelling and grammar checking in your software. Pretty soon, you won't need to learn about anything to administer a windows cluster. Heck, you won't even need a mouse or schooling. Just a microphone, voice recognition software and that MIT metaphor software. You'll just growl at your computer and it will magically do what you want.
[/sarc]

Re:We just got BSOD

[nharmon]

Way to go Microsoft. Cashing in by making your Service Pack bluescreen computers, resulting in lots of incidents. $245 a pop, and they can resolve them all by just telling the person "Reinstall Windows and don't run the Service Pack"...

What a crock.

Re:"beta version of Longhorn Server later this yea

[Uptown+Joe]

"Longhorn release to manufacturing (RTM)
May 24, 2006"

I always thought that "RTM" meant Read the Manual. as in RTfM...

who knew...

- Joe

329.3 MB Of What? Why The Monolithic Patches?

[EXTomar]

It is quite hefty but then this is what I expect from "Service Packs" especially in one giant chunk.

"Download time remaining: 22 minutes"

So now I'm chained to box since I suspect at some point I need to click something on some dialog to complete installation (this is an assumption but past history on other updates tells me I should watch the process to make sure it goes all the way through).

On the other hand I had to setup sever based off of FC3 yesterday and out of the box it required to download 450MBish of stuff broken into 150+ individual downloads. After installing the gpg keys, I started the update ('yum -y update') and walked away from it. Other systems have something that is just as easy and dare say fool proof.

I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.

Small Business Server 2003?

[kevinroyalty]

If you install this on SBS2003, do NOT run the new wizards - wait until SBS2003 SP1 is released in the next month or so.

Re:Small Business Server 2003?

[j0217995]

Why would you be installing this on SBS 2003? You would break more then its worth. SBS 2003 SP1 will help you out instead.

Service Packs for SBS are special due to ISA, SQL and everything else installed on it. A Windows 2003 Server service pack will cause more headaches for any SBS user. Just wait until MS gets it service pack uploaded

Re:Small Business Server 2003?

[kevinroyalty]

My point exactly :) I know that the Server 2003 SP1 is part of SBS SP1, but if you don't have the SBS specific patches, then installing the Server 2003 SP1 is not advised at this time. Kevin

Re:Small Business Server 2003?

[kevinroyalty]

Susan Bradley and other SBS-MVPs have closely analyzed the new Windows Server 2003 Server Pack 1 release (see http://www.crn.com/sections/breakingnews/dailyarch ives.jhtml?articleId=160400108 for details) and CONCLUDED that this SHOULD NOT BE APPLIED to SBS 2003!

Susan writes about this matter at her blog site:

http://msmvps.com/bradley/archive/2005/04/01/40479 .aspx
http://msmvps.com/bradley/archive/2005/03/31/40399 .aspx
http://msmvps.com/bradley/archive/2005/03/31/40423 .aspx

(above cut-n-paste from Harry Brelsford email)
Kevin

Re:We just got BSOD

[Monoman]

I downloaded the SP1 first thing this AM. I will now sit on it while waiting to see if they pull it and release SP1a.

I sure it was a test server. I can't imagine any *good* admin configuring a production system to automagically recieve updates.

It sucks to be you today. :-(

Holy Crap

[omega9]

File Name: WindowsServer2003-KB889101-SP1-x86-ENU.exe
Downlo ad Size: 337230 KB
Date Published: 3/30/2005
Version: SP1

Even without specifics, it blows me away that a service pack is almost 330MB. How can you explain something like that? If it's supposedly not insecure, and that much of an improvement over W2K Server, yet still requires fixes to the tune of half the size of the original install CD... then what am I suppsed to think?

Honestly. Can anyone give a legit reason why this is acceptable?

Re:Holy Crap

[Red+Pointy+Tail]

It could be that many libraries were completely re-compiled with a better compiler that automatically closes some holes (like data overflows), so the whole shebang needs to be reapplied, even if there were actually no code changes.

Re:Holy Crap

[optimus2861]

Punting the mod points...

This is different from Linux packages how, though? RPM doesn't do deltas. DEB doesn't do deltas. Every time there's a patch to one piece of the kernel, you have to download the entire kernel package again. Mandrake 10.1 has gone through at least three full RPM releases of KDE 3.2 for bugfixes -- that's not a fun set of downloads, let me tell you.

It's a valid criticism for everyone, not just MS.

Re:Holy Crap

[SteveX]

If some of the security updates are related to compiling with different options (like the buffer overflow detection changes Visual C++ has been making), then every binary would be affected.

Re:Holy Crap

[sjaskow]

Solaris isn't much better. The Solaris 9 recommended cluster is a 149.9 MB zip file. Go to the patch portal: http://sunsolve.sun.com/pub-cgi/show.pl?target=pat ches/patch-access to see how big they've gotten.

Re:Holy Crap

[SmokeHalo]

Perhaps they should've taken out Windows Media Player to shorten the download.

Re:Holy Crap

[SunFan]

Well, on one hand, they feel the need to replace the entire operating system as a security upgrade. Warm fuzzies waning...

On the other hand, you now have an OS that has been replaced but has the same name, so who knows what side effects there will be on existing applications. Warm fuzzies gone.

Ugh.

I don't think the big UNIX vendors could ever get away with this, but Microsoft can.

Oh, and what is this I've been hearing about a forced Windows XP SP2 upgrade in April for everyone using WIndows Update? One more reason I'm glad I use UNIX/Linux at home.

Re:Holy Crap

[Deagol]

One of my pet peeves, too. It seems nobody does diff'ed updates. The BSD's core OS does diff downloads in source form, but it infuriates me that the ports/packages/whatever mechanism does *not*. Yeah, I know that source tarballs are grabbed from (mostly) official repositories in full form. But why can't a systems like ports or portage do an rsync or cvs update of the source tree itself on some maintained server?

And as a home modem user, updating Fedora Core 3 via POTS is a bothersome experience. Since the initial install, OpenOffice has been updated in its entirety 4 times, X.org twice, plus tons of other large updates, though the majority are one-off updates. My /var/cache/yum tree was hovering just over 2GB until I hand-weeded the obsolete RPMs, leaving the ~900MB of most current ones to burn to DVD-R so I don't need to dedicate many, many (admittedly, night-time) hours of download time again for subsequent installs.

Any developers care to comment on why delta/diff updates aren't more common?

Re:Holy Crap

[SunFan]

Sun doesn't recompile the whole OS with different compiler flags, though. Big difference.

Re:Holy Crap

[GoatPigSheep]

Not as bad as OS X, each upgrade to OS X 10 like 10.1, 10.2, 10.3 requires you to repurchase the entire OS, which is over a gig!

Oh Great.....

[mormop]

Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2

In other words now you've finished dealing with the chaos that was caused by XP SP2 you can now start dealing with the chaos that is S2k3 SP1

Re:We just got BSOD

[varmittang]

Ouch. Making sure Auto Update is off now.

Posters Don't Know What to Bitch About

[xxxJonBoyxxx]

The usual security complaints about Microsoft OS's are that:
1) They are easy to crack remotely with default installs.
2) Weekly if not daily patches are required.

So, Microsoft comes out with SP1 and people are already whining.
1) What is the "no inbound connections by default" stuff going to help?
2) The length of time between Windows 2003's release and its first service pack.

C'mon people, put it together.

how did a blatant liar get modded up?

This is beta software and not part of Windows Update. There's literally NO WAY it could have been automatically downloaded and installed: it must be manually downloaded and then explicitly installed.

Slashbots are morons for a) believing this troll and b) modding it up.

Re:how did a blatant liar get modded up?

[varmittang]

By being and Anonymous Coward.

Run Windows Update if you have a Windows 2003 server, it shows up. Now its time to sit and wait, see if its worth the trouble to install it later tonight.

Re:how did a blatant liar get modded up?

[LABob]

Mod parent up!!! I have 3 W2K3 server (all of which have auto updates enabled) and NONE of them automatically downloaded and installed it. This is the same FUD we heard/hear about XP SP2... let me say it once more loud and clear:

Automatic Updates does not install service packs. It will download them, but it has never and will never install them. They have a EULA that must be accepted, disclaimers that must be clicked through, etc. Stop spreading lies about Automatic Update. The people spreading this crap are a) Lying or b) Stupid or c) All of the above

Just once ...

[KSobby]

Just once i would like to see MS take a "when it's finished" attitude about their OS releases. I'm really starting to be annoyed by the thought of scheduled patches and fixes. I understand that OSes are probably the most complex bit of software written but the idea of a release occuring while the dev team then immediately starts patching is a bit off putting. I know, MS isn't the only one that does this and I know this isn't a new complaint but we all need to vent. I'm surprised that a whole new branch of psychology hasn't sprung up dealing with OS rage. By the amount of flamebait being spewed by all camps (except the Amiga crew ... they're still blissfully happy listening to their Flock of Seagulls and A-Ha albums while doing pixel art ... lucky bastards) I'm surprised that none of the developers have really taken the hint. But when you have that much of a market share who do you really have to answer to other than shareholders? Hmmm ... if only i could figure out how to code clay tablets and start the whole industry over ... Cunieform v1.5 - Code Name: Babylon ... although at release 5.0 I think I might run into some legal troubles with Mr. J. Michael Straczynski.

Re:Just once ...

[xxxJonBoyxxx]

"I understand that OSes are probably the most complex bit of software written but the idea of a release occuring while the dev team then immediately starts patching is a bit off putting."

The open-source world must scare you shitless then. A lot of those projects have a release-of-the-day or release-of-the-week...

Re:Just once ...

[RichMeatyTaste]

.... because software is never finished.

The freaking beta programs last for 1-2 years as it is, involve hundreds of thousands of corporate and IT professional testers, etc.

Software is never perfect because it cannot be. Unless you lock down every aspect of the hardware and envorinment (Apple does this somewhat) you will pretty much always be playing catch up.

Compare the frequency of operating system releases between that of Microsoft and other companies; Microsoft is less frequent than most.

Re: Microsoft Releases Windows Server 2003 SP1

[drinkypoo]

if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

I disagree that the primary message is that the user is incompetent. If your server insecure out of the box in such simple ways that they can be fixed using a security wizard, you're using the wrong operating system. This is a server OS, it makes no sense to have it be insecure by default.

Re:We just got BSOD

[The+Jonas]

How did it "automagically" deploy on your box when MS isn't putting it on Windows Update until July? It can only be manually downloaded until then.

It is available through Windows Update right now. I don't know if it will work through Automatic Updates, but if you manually activate Windows Update the scan results page will inform you that it is one of the "Critical Updates and Service Packs".

Re:We just got BSOD

[PPGMD]

Well you are either lieing, or are stupid.

Applying a brand new update for any OS (be it Linux or Windows) on a production server is simply stupid, I have only now just downloaded the information sheets on SP1 to deploy on our lab servers. Your also stupid if you have automatic update running at all on a production server.

Now I think you are most likely lieing as it hasn't been released to automatic updates (Microsoft isn't that much of an asshole). Second Microsoft support is pay for hour (at least I have never seen any), it's pay per incident, and if you were smart you would get a hold of your consultant (you do have a certified partner that you work with?), who gets free business down support, in which your case would qualify.

wrong

[Sean+Clifford]

Wrong - it *is* on Windows Update. We just looked at it. If you're on Windows Server 2003 you'll see this too:

Windows Server 2003 Service Pack 1* Download size: 329.3 MB, 4 hours 15 minutes Windows Server 2003 Service Pack 1 (SP1) enhances manageability, control, and security infrastructure by providing new security tools such as Security Configuration Wizard, which helps secure your server for role-based operations. SP1 improves defense-in-depth with Data Execution Protection, and provides a safe and secure first-boot scenario with Post-setup Security Update Wizard. Read more... * Must be installed separately from other updates

You can also download SP1 here, though I wouldn't recommend it.

Re:wrong

[CowboyMeal]

Screenshot for those who don't believe him.

Re:wrong

[Maniacal]

I think the argument is whether or not it's part of the "automatic" updates. Not whether or not it can be obtianed via Windows Update.

Service packs are never automatically installed.

Re:wrong

[Maniacal]

ooops. my bad. I thought your comment was in reply to another comment about a comment about autom....

forget it. Just ignore my post :)

Netbooting Windows with tftp in SP1!

[thule]

According to these links, Microsoft has finally figured out how Linux boots with tftp:
BartPE using PXE
Booting Windows from a Debian box
It's nice to see Microsoft pick this up. Booting Windows with standard tools, what a concept!
I'm sooooo spoiled with anaconda kickstarts... can Microsoft make deploying servers as easy as RedHat/Fedora?

Re:Netbooting Windows with tftp in SP1!

[ghjm]

Yes, NT, 2000 Server and 2003 Server have all included Remote Installation Services, which allows you to network-boot PXE compatible clients *using Microsoft proprietary protocols*.

What they have changed is that 2003 Server SP1, as I understand it, now allows you to network-boot PXE compatible clients *using tftp and any CD image*, whether from Microsoft or not.

So I should now be able to toss a Knoppix ISO on my 2003 SP1 server, and netboot any PXE machine I happen to own.

I don't know if it's really this easy, or what the gotchas are, but conceptually it's a big step forward.

-Graham

Re:Netbooting Windows with tftp in SP1!

[thule]

You should have read the links before you responded. I wasn't just talking about PXE. Notice that I mentioned tftp in the posting.

Re:Netbooting Windows with tftp in SP1!

[drsmithy]

I'm sooooo spoiled with anaconda kickstarts... can Microsoft make deploying servers as easy as RedHat/Fedora?

RIS has been around for *years*.

Re:"beta version of Longhorn Server later this yea

[_the_bascule]

I had a pranoid thought the other day. It seems that the MS policy for supporting products runs for about 5 years. Support for 2K pro was dropped earlier this year. XP was first released in May 2001, longhorn May 2006. Is this the forthcoming strategy for the forced upgrades the we all know and love?

Mod Parent Up Informative

[Winckle]

Good point, but, still there are better ways to release updates than to force a re-install of the DLLs

Re:We just got BSOD

[RichMeatyTaste]

Laugh....
So I'll bite and run a manual sync of our WUS (Windows Update Services) servers.
No 2003 SP1 yet. Try to more creative with your trolling.

LAND attack?

[maztuhblastah]

Anyone know if it's still vulnerable to the old LAND attack?

-maztuh

Re:and

[Steven+Gray+(Pulse+U]

If you find a firewall UI update has broken your key applications, I put it to you that your businesses IT department has a few larger concerns than the next update of Windows Server 2003.

Pass my resume on to your manager :)

Re:Horse Escapes; Barn Door Closes

[PPGMD]

You see the little problem with that is, that few of the exploits that were fixed with Windows XP SP 2, are remote exploits. A local IE exploit doesn't matter to a Windows Server 2003 machine, because in most cases, IE is only used to browse the local intranet, or to get Windows Update.

Unless another Blaster type worm was found, and it wasn't put on NTBUGTRAQ, I did a quick search of my BUGTRAQ folder and didn't see any remote exploits since the release of SP2.

Re:and

[bradhannah]

People are forgetting that the majority of broken apps when XP Sp2 came out, was because they unsafe, or did not conform to the new Microsoft security standards. THere were betas and RC's out for months, the manufacturers are the ones who screwed up, by not jumping on them and "fixing" their apps to work with the new security measures. Brad

Re:"beta version of Longhorn Server later this yea

[Espectr0]

So what is "later this year" in Microsoft time?

Longhorn SERVER, not client

Update - re: Automatic updates, etc.

[Sean+Clifford]

Just talked with the network admin again (he's on the phone w/MS); it wasn't automatically applied.

And no, it wasn't a production box. And no, this is not trolling or FUD; this is a legit problem and I doubt we're the only ones seeing it. When the problem reared its ugly head I thought I'd take a look on /. to see if anyone else is having this problem.

Once we get this sorted out, I'll post notes about how it worked out.

Amazing how political this stuff gets.

Re:Update - re: Automatic updates, etc.

[Martin+Blank]

So... you're complaining because someone logged into a production box, downloaded SP1, and applied it without testing it on anything else, or making a proper backup?

No sympathies, particularly when your story gets completely reversed from something that was completely untrue.

Re:Fails the "Stuff that Matters" test

[xxxJonBoyxxx]

"Fails the Stuff that Matters test"

Unless you're an introverted cubicle-minion who gets away dealing only with a narrow set of *nix or mainframe applications (which never talk to Windows boxes), I would think Win2K3sp1 is news.

Another way to look at is that Slashdot will happily post the latest release of "NotReallyNecessaryUtility 0.3 Beta" as news...

Security Configuration Wizard (SCW) for XP?

[scupper]

Hey, why aren't they rolling out a paired down version of Security Configuration Wizard (SCW) for XP?

The "Security Center" on XP is pretty cheesy, didn't even include an updated MBSA until a couple months after XP sp2 was released. Most folks won't dig into using the Local Security Policy snap-in or Security Configuration and Analysis snap-in, or fiddle with changing their template.

Re:Horse Escapes; Barn Door Closes

[Steven+Gray+(Pulse+U]

You'll find it was the other way around, Windows XP has had quite a few flaws since SP1 and SP2 that have been isolated and the patches cross-ported from the Windows server tree. Namely because there was a line by line review of the entire codebase for server, and that all of the new compiler tools were built and first used producing it.

Re:329.3 MB Of What? Why The Monolithic Patches?

[Slashcrap]

On the other hand I had to setup sever based off of FC3 yesterday and out of the box it required to download 450MBish of stuff broken into 150+ individual downloads.

OK. So the Win2k3 download was about 300MB and the Red Hat patches came to 450MB. Fair point.

Except that the Windows Service Pack only updated Windows. Whereas the Red Hat patches updated about 150 apps, going by your figures.

So it's not really an apples for apples comparison. Unless that 450MB of patches were just for the Kernel and essential system libraries. Although knowing Red Hat's "kitchen sink" approach to their kernel packages I guess it's possible.

Re:I'm impressed

[SilentChris]

"I'm really at a loss of words to describe this brilliance.
Just think of it, closing all open ports from incoming traffic by default now. Wow. Why didn't anyone else come up with this great idea before?"

It's not what you're thinking of - I don't think you're getting it. This isn't a firewall that gets turned on. Rather, the user can't do anything on the network until the system is up-to-date. It basically sandboxes the user from all internet traffic but the update site. I don't know of a single other OS that does this.

Mod Parent Down, Uninformed

[Steven+Gray+(Pulse+U]

The size is because the entire of the core services set has been recompiled to use the XP-SP2 Data-Execution prevention technology, which allows for NX support in all applications with appropriate hardware, and a further emulated NX feature that covers the core services infrastructure regardless of CPU platform. This doesnt require most applications to be recompiled, because most of the changes have occured behind the Hardware abstraction that all Windows applications are coded for.

Re:Mod Parent Down, Uninformed

[superskippy]

Offtopic, but.... the moderation system is so that the most interesting posts float to the top, not the most "correct". This post asks a valid question, and is therefore "Interesting". Uninformed != low score. (you're right, it's perhaps not "Insightful").

Weeeee!

[Lisandro]

Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2.

YES! I bet W2k3 server sysadmins will just love the new security features of XP like that great firewall. You know... the one that blocks local ICMP pings by default!

Re:Weeeee!

[sysgeek01]

blocking incoming ICMP pings are a good thing as they are a security risk.

Re:Weeeee!

[Lisandro]

Keyword here is LOCAL. It's not funny to found a server not responding to a ping request and realizing it's not dead, it's just the damn firewall blocking it.

Re:Weeeee!

[WhiteWolf666]

blocking incoming XXXXX (insert services here) is a good thing as it they are a security risk.

Tradeoff, securityusability.

Re:Weeeee!

[sysgeek01]

99% of all network based applications do not need to us ICMP echo and ICMP echo requests to be usable. If that were the case it wouldn't be a best practice to block ICMP echo and echo requests.

Re:Weeeee!

[sysgeek01]

It's not a problem if a person know's how to troubleshoot.

Re:Weeeee!

[Lisandro]

Oh, come on. Blocking local ping requests? We should then lock all incoming ports too aswell; if anything doesn't work it's just a matter of troubleshooting.

It's not nitpicking - the firewall works reasonably well, but the defaults are awful. There's no reason to leave out a basic network tool like pinging.

Re:Weeeee!

[mottie]

you do realize that LOCAL can mean public.. yes if you're on 192.168.0.0/16 its a private IP, but if your on a cable modem with no router you would be allowing anyone on your subnet ping you.. If you can't ping a client from your server it's your own fault. You can fully control the XP2 firewall using group policy to disable it when it is truly LOCAL

Re:Weeeee!

[tweek]

While I would agree, there is a big enough problem with Clueless Admins blocking ALL ICMP and breaking things for the rest of the world.

Let me put it here for future generations. If you want to block ICMP, go ahead but leave the following enabled and the rest of the fucking internet will thank you:

echo
echo-reply
Packet too big
TTL Exceeded
Unreach

Go ahead and block the fragments and all others but leave those allowed so that things don't break.

If you really get snarky go ahead and block echo/echo-reply but the other three are musts to be allowed.

Re:I'm impressed

[PPGMD]

Now that's great. After all it is supposed to be a server OS, so people who deploy it can't be expected to know about things like updates, etc... Brilliant again.

Not even Linux can be deployed without updates, unless you download a version that was released within the last week.

AWBS

[Xibo]

Attention Whoring Bull Shitter.

Re:Are you running NAV corp?

[Sean+Clifford]

Yes, we are running NAV corp. I'll check this out on another test server. Thanks.

Mod Parent Up - Here's the Link

[xxxJonBoyxxx]

Mod Parent Up! ('cause I wanna know too.)

Of course, the new on-by-default firewall might help, but once a couple of holes get poked in it...

Here's what the poster was chatting about... http://it.slashdot.org/article.pl?sid=05/03/07/141 4234&tid=201&tid=172&tid=128&tid=109&tid=218

Re:Horse Escapes; Barn Door Closes

[Doc+Ruby]

I'm glad your shop uses WS2003 only as a server - that's proper IT policy. Every shop I've worked in, from Canadian & American Federal, state and provincial governments, through Wall Street corps, through broadcast media networks, has sometimes used the Windows server console as an extra workstation. Proper security doesn't mean "don't use those functions of the install, they might have holes". It means "close the holes ASAP".

Except When You Have An Enterprise

[EXTomar]

There is already network hardware that will drop machines into a "sealed" network if they detect anything wrong. They will get a rude awakening when they suddenly can't surf to hotmail.com because they've been disconnected from the general network due to detection of bad traffic. But this stuff isn't exactly cheap.

In any event, this might be a great idea for small install bases but if you have administer a number of machines this is not feasible. Having to remotely monkey with machine is enough of a burden in Windows. Having to physically move from machine to machine is bonkers (especially when co-located).

And people wonder why I laugh at the Cost of Owernship of Windows being cheaper than other productions. All of these hoops you have to jump through to keep the thing running.

Re:Except When You Have An Enterprise

[tweek]

Sure it's cheap in a sense.

Snort has a flexresp package that will update quote a few vendor firewalls and routers to block machines that are sending suspicious traffic.

And by "in a sense" I mean your time is money and the time it takes to really tune your snort rules properly is a big investment. You don't want to have your CEO come bitching at you because his windows update set off a NOOP x86 shellcode attach on the snort filters ;)

Re: Microsoft Releases Windows Server 2003 SP1

[YU+Nicks+NE+Way]

personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place

Not necessarily. The point of a wizard is to standardize the interface so that it's easy to discover how to apply the settings. It doesn't make it any less important to understand what the settings do.

Re: Microsoft Releases Windows Server 2003 SP1

[dubbreak]

This is a server OS, it makes no sense to have it be insecure by default.

Theo is that you?

Re:Horse Escapes; Barn Door Closes

[CDarklock]

This is precisely why I recommend WILO: Windows Inside, Linux Outside (of the firewall). Microsoft is far too slow patching security problems to expose their servers to the public internet, but since their servers are very convenient to administer and deploy within the organisation, you can reduce your IT needs drastically by using them behind the firewall.

Spending $1000 per server per year is rather less of an expense than hiring competent Linux admins throughout the organisation. I can train an intern to run a Windows server. (Hell, I could probably train a *monkey* to run a Windows server.) All I need is one or two Linux guys running our internet presence, and that can be outsourced.

Disclaimer: Please do not run off and staff your entire IT department with interns and monkeys unless you're POSITIVE you won't apfrangle the overscan.

All the libraries are recompiled

[ad0gg]

To take full advantage of the nonexecutable cpu protection. They did the same in XP sp2.

Re: Microsoft Releases Windows Server 2003 SP1

[ClubStew]

Who said it's insecure out of the box? I realize this is /. - one big, happy bandwagon - but serious try using it and reading about it. All unnecessary services are shutdown and not even IIS is installed by default (unless you get the web edition of 2003).

Re:Horse Escapes; Barn Door Closes

[Doc+Ruby]

So you're saying that there are even more security holes that they didn't fix even with the vaunted SP2 (no surprise, just as there should have been no surprise with SP2 after SP1). But Windows is flawed both ways, not just "the other way around": "Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2.". There's holes all over these products, and no reason to believe they're anywhere near all patched now.

Re:"beta version of Longhorn Server later this yea

[scupper]

mainstream support for 2k pro and server expires on June 30, 2005. They're supposed to release an Update Rollup pretty soon, instead of a full blown (bloat) service pack 5. I'm guessing it'll come out around the end of May, beginning of June.

I was just reading about WinFS being back-ported to XP and 2k3 server. Dunno, but that seems like we won't be herded into upgrades as forcefully as it initially appeared before indigo and avalon were backported.

Re:"beta version of Longhorn Server later this yea

[chrisopherpace]

Support for 2K Professional has not been dropped yet:


Clicky


For the impatient, Win2k Pro will be dropped (mainstream support) on June 30, 2005.

Re:Horse Escapes; Barn Door Closes

[lowe0]

I've seen what happens when you let monkeys run any server, Windows, Linux, or otherwise. This attitude is part of the problem.

And MS isn't helping, with their TCO studies. Competent admins cost, no matter what platform they are hired to work on. Sure, MS may have other features of their OS that make it cheaper to operate, but "you can hire stupid people dirt-cheap" should NOT be one of them.

Thank You!

[tealtalon]

I was growing tired of 38-40 update downloads on a fresh server install. I do a couple a week for clients, and all that time adds up, especially if I'm on a clients slow pipe. I was about to burn them all, but the new winupdate certainly doesn't make that easy with all of the vague descriptions etc. You would have to track them all down. They need to put out security rollups more often for those of us stuck loading the damn os.

Re:Thank You!

[rikkards]

You know you can Slipstream the updates? Of course it will be easier now with SP1.

Re:Thank You!

[zeptic]

To make your life more easy you should try slipstreaming. See http://unattended.msfn.org/ for a great tutorial on how to do it!

Re:Horse Escapes; Barn Door Closes

[Doc+Ruby]

It's a good policy to replace MS hosts with something more securable, like Linux, anywhere possible. Outside the firewall (including "outside the VPN") is usually doable, because those are mostly servers. Inside servers are also good targets for non-MS upgrade, because they also don't have hard-to-retrain users. So Samba domain controllers and fileservers, etc, are a strategic approach. Moving all apps to platform-independent Web apps is a workable migration strategy. Eventually, I'd like to see only a well-patrolled rack of Windows client boxes in a pool for VNC or something, handling the bottleneck of opening Office format files. Then the fershliggina users can't schneider the frammistan.

MBSA 2.0?

[scupper]

I guess they're going to roll out MBSA 2.0 later this year? They did the same thing with 1.2.1 when xp sp2 was released. I kind of thought they should release the MBSA with the service pack, or at least have it updated, tested and available to assist in configuration of the new security features, like 2k3 server's new firewall and checking Security Configuration Wizard for errors.

Re:MBSA 2.0?

[scupper]

har har.

Well, the link above explains it.
Microsoft Baseline Security Analyzer
I wouldn't rely on this app, but they are pitching it as an essential vulnerability assessment tool of their Secuirty Initiative they've been hyping since '02. I wondered why they didn't roll out 1.2.1 with xp sp2, as people were tweaking about how to configure the new firewall settings, and this program makes short order of assessing the basics for the average user.

Re:MBSA 2.0?

[scupper]

uh, what journal? what entries?what does this have to do with this thread?

Re:We just got BSOD

[tealtalon]

Where on that screen does it say autoinstall?
Just because it's on the windows update site doesn't mean it will auto install. Who in their right mind leaves a production server on automaticly install updates? Seriously you should be fired.

Re:We just got BSOD

[archen]

Umm... you weren't seriously going to deploy that today were you? Servers up today are still secure so there's no immidiate rush. There are more than enough insane people who try to install it immidiatly to know what to look out for, so it's best to wait a week or so.

That's what really sucks about the windows registration proceedure. You can't just throw a copy on a machine install the SP to see if it blows up or not. With Win2k I do this regularly and it's saved me a couple times. I'm certainly not paying MS an extra $800 so I can test their shit to see if it breaks my machine.

In other news..

[c0ldfusi0n]

Microsoft acknowledge January patch for 98/ME is flawed. Surprise!!

Re:Horse Escapes; Barn Door Closes

[CDarklock]

> I've seen what happens when
> you let monkeys run any server

Yes, they apfrangle the overscan. So don't do it unless you're *positive* you have solved the problem. I mentioned this already.

> Competent admins cost

And an apfrangled overscan can only be detected, prevented, or resolved by a competent admin.

Translation: inexperienced admins always create situations that only an experienced admin can resolve. They need experienced supervision and guidance, both to prevent these situations when possible, and to clean them up when not. So you need to have enough experienced and competent IT professionals to supervise and guide all your interns and monkeys.

That's where people go wrong. Hiring a *few* stupid people dirt-cheap will free up your experienced admins to work on things only they can do. Hiring a LOT of stupid people dirt-cheap just wastes all your experienced admins on managing interns and monkeys instead of running the network. Replacing your experienced people with interns and monkeys... well, apfrangles the overscan.

What are you on about?

[Inoshiro]

"Every time there's a patch to one piece of the kernel, you have to download the entire kernel package again. "

Last time I looked at ftp.kernel.org, there were lots of nice patches in the /pub/linux/kernel/v2.6 directory. It's how I've been updating my 2.6 since I first downloaded it at 2.6.4. cat ../patch-2.6.N | patch -p1 -E && make oldconfig does wonders.

Some of the deltas are large (a couple mb), but nothing like the size of a full kernel download.

Re:What are you on about?

[Rich0]

Gentoo usually uses deltas for kernel downloads - at least for security patches. Anybody who is updating that still has the old tgz file sitting around only needs to download the 1K patch file.

Clicky

[abb3w]

Does it still require an activation code of some kind or not ?

First, last I checked none of Microsoft's patches required sending an activation code yet in order to download; so far, they're just asking very nicely (for a corporate behemoth)-- you could still say no and download any of them.

Second, for this service pack Billy Boy doesn't even ask; just go to the URL given in the story, click the button and download. Or, just download directly once someone provides the karma-whoring direct file link for you.

I presume, of course, you're not silly enough to be asking if Win2K3Srv still requires a key to install in the first place....

Re: Microsoft Releases Windows Server 2003 SP1

[highcon]

Why other companies haven't thought about this, I have no idea

What other companies make "server" software that allows someone to configure something without understanding what they are doing? I'm assuming the other companies you are talking about are all *nix vendors of some sort, and they don't have the same incidence of their customers plugging unpatched boxes into live, unfiltered networks.

Re: Microsoft Releases Windows Server 2003 SP1

[Albio]

I'm a little "meh" about the "security configuration wizard" (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

That's not always true. A wizard that quickly macros something you were going to do anyways sounds like a great idea.

No it wasn't.

[CaymanIslandCarpedie]

Longhorn client is to be released this year, Longhorn server has always been planned about a year after the client.

Re:329.3 MB Of What? Why The Monolithic Patches?

[theManInTheYellowHat]

echo #!/bin/bash\nwget http://www.microsoft.com/downloads/info.aspx?na=90 &p=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=2 2cfc239-337c-4d81-8354-72593b1c1f43&genscs=&u=http %3a%2f%2fdownload.microsoft.com%2fdownload%2f1%2f2 %2f7%2f127c5938-d36a-4405-9df1-f00d57495652%2fWind owsServer2003-KB889101-SP1-x86-ENU.exe > getfiles.sh
at -f getfiles.sh 00:01 +2days

Re:329.3 MB Of What? Why The Monolithic Patches?

[mr_z_beeblebrox]

but past history on other updates tells me I should watch the process to make sure it goes all the way through

Wow, something tells you that you should watch a service pack install. You are pretty smart, are you looking for work?

You will be...you will be (yoda voice)

This counts as one vulnerability, right?

[GbrDead]

And even more - it's a fix! :-)

Re: Microsoft Releases Windows Server 2003 SP1

[ergo98]

First new and improved script-kiddie exploits available in 3...2..1...

Keep that argument going, but the reality is that Windows Server 2003 has been the most secure Microsoft offering to date (I know I know - that isn't saying much).

Through a minimalist initial setup, to a wide variety of security improvements in things like the way IIS 6 operates, Windows Server 2003 has fallen prey to very, very few exploits. I think the fact that the first service pack took two years to hit the market, and much of it is additional functionality or tweaking (rather than actual fixes), really says a lot for the quality of the product.

I guess my point, if I have one, is that while the anti-M$ hoardes continue the security mantra as if it was 1999, Windows Server 2003 is really an excellent, secure product. I think the mininions need to evolve their FUD.

backup fix?

[lee+n.+field]

So, will this finally fix the problems with ntbackup that I'm seeing with some of my customers?

Re:backup fix?

[exKingZog]

Are they on Small Business Server by any chance? Because we've been having regular errors relating to NT backup for a while now, and while it appears to work, every now and then it'll miss a backup, and the GUI is often slow and unresponsive.

Re:backup fix?

[lee+n.+field]

One is on Small Business Server. One is on Plain Old Server. I can run backups manually with no problem, but on the SBS machine a scheduled backup from a batch file will sometimes work, mostly not. On the POS 2003 machine, I just haven't been able to get scheduled backup to work.

Apu with Microsoft didn't help much.

Re:backup fix?

[Dogers]

DO **NOT** install this service pack on SBS03!!

It will screw up the server beyond belief!

SBS 2003 SP1 will be coming out "within 60 days" and will include ISA 2004 for SBS Premium customers.

Just wait :)

Re:backup fix?

[exKingZog]

That's exactly the situation we've got on SBS, especially with AD and Exchange backups. Hopefully the forthcoming SBS SP1 will fix it.

SP1 Now I Can Install!

[camliner]

Actually... there are a lot of Sys Admins that still will not even think about upgrading their server OS until SP1 comes out.

Re:SP1 Now I Can Install!

[xgamer04]

And for good reason! I don't think many mission-critical servers should be upgraded the moment a new system version comes out (ex: linux kernel 2.6.0)

Wow... broken on the install!

[murreyaw]

Wow, I went to install the Security Configuration Wizard, and it blue screened the box! Now, thats secure.

Early Adopters get busy

[thilde]

Ok Microserfs

Times a waste'n
Install that service pack so we can get past the debugging phase and to the part where I might consider applying this thing to my servers.

Re:329.3 MB Of What? Why The Monolithic Patches?

[Deviate_X]

I understand what your saying, but you should also remember that FC3 is only a few months. If things carry on in this fashion then after 1 year you might have 1GB of patches to apply to FC3! :) but then again i suppose it will be called FC4.

Out of interest, is it possible to bundle all those 450Mb FC3 patches into 1 install which can be applied to multiple machines SP style.

Re: Microsoft Releases Windows Server 2003 SP1

[Quikah]

What are you kidding me? I have configured an AIX box and an HP-UX box without knowing what the hell I was doing, their GUI admin tool makes it very easy to do this. Solaris is a bit tougher as their gui tools kind of suck, but their install is pretty easy to do without knowing what you are doing.

Torrents?

[pjf(at)gna.org]

Where can I download torrents from? ;-)

Re:We just got BSOD

[Quikah]

Yes you can, you have 30 days to register.

Re:Does this still work?

[Doc+Ruby]

I think MS guards against that kind of attack by not including a C compiler with the OS ;).

Re:We just got BSOD

[Who+drank+my+chocola]

Odd, my SUS Synchronization log showed this for this morning's attempted sync:

Errors:
Windows Server 2003 Service Pack 1: Failed to download from URL 'http://download.windowsupdate.com/msdownload/upda te/v3-19990518/cabpool/WindowsServer2003-KB889101- SP1-x86-ENU_6e6d2db278226bf7a257f86d8b5e056.exe'. (Error 0x8007000D: The data is invalid.) - WindowsServer2003-KB889101-SP1-x86-ENU_6e6d2db2782 26bf7a257f86d8b5e056.exe

...so I'm note sure what you're talking about, exactly. Did you check your Sync log before posting?

Re: Microsoft Releases Windows Server 2003 SP1

[drinkypoo]

Fedora is a desktop-specific distribution. It was explicitly designed with cutting-edge desktop functionality in mind in order to suck in more users. It is a beta test program for RHEL. The problem isn't that your sysadmin ran redhate, it's that they ran fedora. Not that I would run redhat anyway... We have SuSe here at work, and I personally run gentoo. I'm not a big SuSe fan either (yet?) but I'd rather that than wait for Redhat to find the NEXT way to break promises and piss me off.

Re: Microsoft Releases Windows Server 2003 SP1

[Some+Dumbass...]

The PSSU feature, though (as I mentioned in another post), that blocks incoming traffic on first boot and immediately directs the user to download updates is awesome. Why other companies haven't thought about this, I have no idea.

In the last several versions of Linux that I've installed, downloading the latest updates has been part of the install process. So I'm thinking that maybe other companies have thought of this, though they arrived at a slightly different solution.

Now, if Windows did that on _every_ boot (configurably, I would hope), that would be interesting. It might be useful for a server which have been offline for a while, e.g. after a power outage, fire, or other similar emergency.

Security Configuration Wizards

[Acer500]

I haven't tried it yet, but I'd rather have a Security Wizard than nothing at all.

It may amaze you, but there are people administering servers that are not fully qualified (me, I'm not as qualified as I should be), for whom having a Security Wizard may be a big boon.

I do hope that it allows for later tweaking.

Good to know that it has improved security.

It appears no one has actually installed 2003...

[PPGMD]

either that, or they are using the pirated volume license key, because it does have activation, it has the same activation policy as Windows XP.

Incompatible with Exchange 2003!!!

At my work, they tried W2k3 SP1 for our exchange 2k3 and exchange 2003 even refused to install saying it was an unrecognized version of windows!!!

What a piece of junk!

Re:and

[suitepotato]

Not flamebait to me, personally. I'd like to know which included apps might now be broke and which they are actually working on patches for pending SP2. This is old standard MS proceedure and we should all know by now that it is a valid question.

Of course, custom and 3rd party apps being broke goes w/out saying. I used to say that if people stuck to the MFCs and the rest of the MS standards and didn't custom code and mod dlls, then they'd be much better off, but even doing the cleanest MS standard job you can, one little thing is done on the OS side by MS and everything goes to fark. One minute fine, the next not a single desktop or server will work and all report exactly the same fault.

Re:Any Relation?

[cqnn]

It's just coincidence; some MS reps have been talking about
them targeting an "end of March" release for the Service Pack
since January.

It will be interesting to see if they can keep up with the
rest of the timeline they had projected from that period.

Re:It appears no one has actually installed 2003..

[rikkards]

Not the select version

Re:329.3 MB Of What? Why The Monolithic Patches?

[nachoboy]

I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.

This is exactly what they do. The large 300+ MB download is designed for network administrators who want to download the whole thing to apply to multiple machines. If you're just going to be updating a single machine, use Windows Update to get SP1. It uses a smart installer to only download the pieces you need (typically one-third to one-half the size of the full update).

Update

[Sean+Clifford]

>>It was automagically deployed

Nope; no it wasn't. That's what the network admin initially told me; then that it was automatically downloaded. He started walking me through what he did on another testbed; he used Windows Update. So this was wrong, wrong, wrong - SP1 was not deployed automatically.

This was not a production machine and I didn't deploy SP1; I was asked to take a look at it after the fact.

The uninstall procedure for SP1 via the recovery console didn't work; the Knoppix idea was nixed in favor of feeding the PowerVault tapes. There's nothing important on the box anyway.

>>The $245 an hour Microsoft support guy

As it was pointed out below it's $245 per incident.

There's been much ballyhoo, bile, and whatnot on this thread about this being a troll, lies, FUD, flamebait, etc. Nope, it happened (albeit the reported autoupdate was *wrong*) and was relevant.

I was surprised that the Microsoft support folks we spoke with didn't know that Windows 2003 SP1 was released today. We talked with two who said MS usually lets them know a week or more in advance, but they didn't get the word. Surprised, but not all bent out of shape about it.

There were a lot of issues reported around XP SP2, but it worked fine in my experience. I only had one box have a problem with XP SP2 - one that had the "express" install. After doing the network install everything was fine.

I'm reserving judgement on SP1; this is a single incident after all, though someone else reported a similar problem in this thread. It will probably work fine for most folks, but obviously it shouldn't be slapped on production boxes just yet. And backups go without saying.

Re: Microsoft Releases Windows Server 2003 SP1

[drsmithy]

I'm a little "meh" about the "security configuration wizard" (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

But I'm sure you'd be ok with using perl (or whatever) to script a few changes to a system's default configuration ?

Guide to turn 2003 Server into a Workstation...

[kcb93x]

http://www.msfn.org/win2k3/

Re: Microsoft Releases Windows Server 2003 SP1

[drinkypoo]

Actually, I've installed [a beta of] 2003 server and you're right, pretty much everything is turned off and/or uninstalled, usually uninstalled. The thing that runs when 2003 server starts makes your system less secure because you generally use it to install stuff :) HHOS. Nonetheless, I suggest that anything you do from an initial wizard that makes your system more secure that doesn't involve downloading and installing something that could not reasonably have been included on the installation media should have been the default.

Re:How is this relevent to slashdot

[NanoGator]

"when most of the users don't like WINDOWS !! Then why bother talking about it ?" I imagine because 10s of millions of people use it.

Re:Oh great

[klui]

The Remote Desktop breaking happened to me with some versions of ATI's drivers under XP SP1 and 2003 no SP.

Re:Oh great

[syousef]

I've got an NVidia GeForce 5200 based card here. Works fine with XP SP1.

Service Pack ?

[slothjammin]

Service Pack? Hardly! It's a complete rewrite at 330MB! Good thing it isn't our File server or Comm server. It is our Terminal Server.
Late.

Update - Dell Open Manage & BSOD w/Win2k3SP1

[Sean+Clifford]

Dell support determined that the BSOD problem was our our version of Dell Open Manage on a 2850. Dell will release version 4.4 in June. Would have posted earlier, but found myself banned for a while due to moderation.

Again, it was *not automagically* installed (nor was all this trolling or flamebaiting); see another reply that lays out what happened.