Microsoft Releases Windows Server 2003 SP1

Masq666 writes "Microsoft has wrapped up development on the first major update to its Windows Server 2003 operating system and released it for download, The company said that Windows Server 2003 Service Pack 1 is currently available for download via Microsoft's site and will soon start showing up on new servers. Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2. News.com.com has more details and commentary."

Re: Microsoft Releases Windows Server 2003 SP1

[dolo666]

First new and improved script-kiddie exploits available in 3...2..1...

Intriguing.

[Tuxedo+Jack]

I've been using the latest RC as a desktop OS for a while, and it's pretty good; it does have some issues with Steam, but then again, it's not meant to be a gaming OS, just a server OS.

All in all, though, it's damn stable and secure as is, and it's pretty responsive.

Re:Intriguing.

[AKAImBatman]

They lied. 2003 is a very poor execuse for a Desktop/Gaming machine. Not even Microsoft recommends it as such.

FWIW, Microsoft did manage to consolidate things about the time of XP. The reason why they unconsolidated was to bring many of their security features to the server market so that they wouldn't get trounced on by the competition before Longhorn is released. And to actually say something nice about Microsoft, 2003 *is* more secure. Unfortunately, most of that security is added in a rather stupid way. "You can't run IE because it is insecure. Would you like to make it runnable anyway? (Y/N)" (rolls eyes)

Re:Intriguing.

[RonnyJ]

They lied. 2003 is a very poor execuse for a Desktop/Gaming machine. Not even Microsoft recommends it as such.

I'm not quite sure why this was modded insightful - the new desktop OS XP64 is built upon the same codebase as 2K3 SP1, and accordingly, both XP64 and 2K3 SP1 went RTM (final) at the same time.

I am not a Win S2K3 admin, but

[Tibor+the+Hun]

OK, I am not a Windows Server 2003 admin, but is it just me, or is it really odd that Microsoft is just now including a firewall?

Re:I am not a Win S2K3 admin, but

[Zebra_X]

You're right.

I have a couple dedicated servers and my biggest beef with 2003 is that it didn't come with a built in software firewall. Not only that, decent 3rd party wares were/are hard to find and had "more than I needed". There are a couple strategies for protecting your interfaces such as using RRAS to nat all outgoing requests, and forward incoming ones, but for whatever reason is difficult to get working correctly.

All in all a welcome update, but I'd like to know why it wasn't part of the original realease.

Re:I am not a Win S2K3 admin, but

Windows Server (.NET, 2003 whatever) has had a firewall in it essentially since Windows NT, in the form of the IPSec services, which offer every bit as much functionality as IPTables.

The XP family bundled IPSec into a simple wrapper called Windows firewall, which was expanded upon in SP2 to provide things like warnings etc, and it is this functionality that has been cross-ported to the Server line.

Regards,

-Steve Gray

Re:I am not a Win S2K3 admin, but

[Deviate_X]

Well it did come with a firewall. As a fact the same firewall is supplied with every version of 2003 and XP:

Windows Basic Firewall

Re:I am not a Win S2K3 admin, but

[Zebra_X]

Yes, but it doesn't work very well in an envronment with more than one IP address.

Re:I am not a Win S2K3 admin, but

[LurkerXXX]

If you were a 2003 admin, you would know that the default vanilla 2003 server does indeed include a software firewall. Anyone who says it doesn't either has never used it, or is one of those paper MCSE types that has no actual working knowledge of how to admin a windows box, and never discovered the setup for it because it wasn't included in his cram course.

Re:I am not a Win S2K3 admin, but

[LurkerXXX]

Great, now you've discoverd the firewall exists. Whats the problem with multiple IPs? You can easily set the access to specific ports by specific IP. Where's the problem?

Re:I am not a Win S2K3 admin, but

[hkb]

No, you're both wrong.

2003 has always had a firewall, ICF. NT, since at least version 4.0 has always had a firewall, but unfortunately, it was wrapped in the "IPSec Policy" functionality at the time.

I would expect a clueless MS basher to actually look before flaming, though.

Re:I am not a Win S2K3 admin, but

[sysgeek01]

I'm not a Microsoft cronie or advicate, but I also don't want people to be misinformed. Server 2003 DOES include a built in firewall by default, but at that same time it is turned off by default. Right click on the network connection's local area network icon -> click on properties -> and select the advanced tab.

Re:I am not a Win S2K3 admin, but

[crimoid]

A local firewall will simply allow an administrator more control over who can access a system.

Examples:

You've got service "A" that you only want to allow connections from localhost.

Service "B" you only want connections from your local LAN

Service "C" you only want connections from one particular IP.

"beta version of Longhorn Server later this year"

[scupper]

The company also plans to have a beta version of Longhorn Server later this year.

"That's our expectation," Price said.

So what is "later this year" in Microsoft time?

This?
http://www.winsupersite.com/showcase/longhorn_prev iew_2005.asp

Longhorn Milestone 9 (M9) and platform complete
March 2005

Longhorn Beta 1
Late May 2005

Longhorn Beta 2
October 2005

Longhorn Release Candidate 0 (RC0)
Late February 2006

Longhorn Release Candidate 1 (RC1)
April 2006

Longhorn release to manufacturing (RTM)
May 24, 2006

Brilliant idea

[SilentChris]

In all seriousness, I definitely like the new "PSSU" (Post-Setup Security Updates) feature. Awful name, but it does the following when someone first installs Windows 2003:

1.) Blocks all incoming traffic.
2.) Immediately guides the first person who logs on through downloading updates.

This would be such a terrific blessing for new XP users: block traffic and immediately send them off to the update site. Excellent idea.

Re:heh

[LurkerXXX]

Right! And that's important because we know that no Linux distro has ever had a security patch released within weeks of a big update....

</sarcasm>

Enhancements / New Features

Enhancements

In addition to finding and updating security holes before hackers can exploit them, Service Pack 1 includes improvements to functionality that originally shipped with Windows Server 2003. Such enhancements make a great product better and raise the security, reliability, and productivity of Windows Server 2003. Below are brief descriptions of some of the key enhancements included in Service Pack 1:

Stronger defaults and privilege reduction on services--Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves.

Support for "no execute" hardware--Service Pack 1 allows Windows Server 2003 to utilize functionality built in to computing hardware, from companies such as Intel and Advanced Micro Devices, to prevent malicious code from launching attacks from areas of computer memory that should have no code running in it. For both 32-bit and 64-bit systems, this enhancement closes the door on one of the broadest and most exploited avenues of information attack.

Network Access Quarantine Control components included--Windows Server 2003 SP1now includes the Rqs.exe and Rqc.exe components to make deployment ofNetwork Access Quarantine Control easier. For more information, see Network Access Quarantine Control in Windows Server 2003.

IIS 6.0 metabase auditing--The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services (IIS) 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted.

New features

Microsoft is taking the opportunity afforded by the release of Service Pack 1 to introduce powerful new functionality to Windows Server 2003.

Windows Firewall--Also released with Windows XP Service Pack 2, Windows Firewall is the successor of the Internet Connection Firewall. Windows Firewall is a host (software) firewall, a firewall around each client and server computer on a customer's network. Unlike Windows XP Service Pack 2, the Windows Firewall is off by default on Server 2003 Service Pack 1, and must be turned on to begin protecting systems. The Windows Firewall is enabled for a brief time during Service Pack 1 clean installs for the duration of the new Post-Setup Security Updates portion of setup.

Post-Setup Security Updates (PSSU)--Servers are vulnerable in the time between initial installation and having the latest security updates applied. To counter this, Windows Server 2003 with Service Pack 1 uses Windows Firewall to block all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer. After updating, Windows Firewall is turned off until it is configured for server roles. PSSU also guides users through immediate configuration of Automatic Updates.

Security Configuration Wizard (SCW)--SCW is a wizard that configures server security based upon existing server roles. SCW asks questions about server roles and then stops all services not necessary to perform those roles. SCW will not add roles, but will configure the server around the roles it performs. Like boarding-up unused doors, this new feature helps reduce the attack surface of Windows Server 2003.

Re: Microsoft Releases Windows Server 2003 SP1

[SilentChris]

True, but they have a few excellent ideas in there. I'm a little "meh" about the "security configuration wizard" (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

The PSSU feature, though (as I mentioned in another post), that blocks incoming traffic on first boot and immediately directs the user to download updates is awesome. Why other companies haven't thought about this, I have no idea. I really hope this gets put into the next consumer version of Windows.

Re:heh

[AKAImBatman]

And not even Billy Gates would bet against it, he's too good a businessman for that.

Pfff! As if! Bill Gates would take your bet, then he'd make sure that copies of SP1 stay out of the hands of the most common bug reporters, that tech support convienently "loses" any reports that do come in, and he'd send CERT on an all expenses paid (and tax deductable!) vacation for doing such a good job.

Then he'd collect his 10 pounds, and make a fortune off of advertising that 2003 is more secure than ever!

One more SP to go to make it worth installing...

[Metroid72]

I say wait until SP2.

64 bit XP

[buhatkj]

IMHOP, the more interesting tidbit from this article is the info that XP 64-bit should go on sale next month :-) As the proud owner of 2 athlon 64's, that's actually something I would want to know about....

Fascinatingly Uninteresting

[OSXexpert]

Ok, I have used Windows for development in 95 and 98 releases and now use OS X very happily. What surprises me is we are in late March of 2005 and Windows 2003 SP***1*** is being released.

Re:Fascinatingly Uninteresting

[Steven+Gray+(Pulse+U]

Why release one if theres no loud demand for it? Seeing as your an Apple user, I'm afraid to break the news to you that not every OS vendor has chance to push out a few mediocre SDK features every half year and name it after some random wild animal. Server is one of the most polished efforts from Microsoft yet, and as a test case of it's new security initiative you'd be hard pressed to find signifigant fault, since practically every bug that's hit the XP range is not a threat to it, and in terms of total security issues it's behind on the Linux kernel itself, let alone any of the distributions. There are some beardy guys who can best even that, but I don't want to talk about theee....arr....ghhhh...heellp... *runs from the Unix geeks*

Re:Free update ?

[varmittang]

Ok, you are basically throwing up the red flag saying, "I don't have a legitimate install of Windows 2003 Server, so I want to know if I can update my server without getting in trouble". To answer that, I say take your chances, because my company has ligitimate copies, so I don't have to worry about if it will let me update or not.

This SP is the basis for Longhorn?

[StateOfTheUnion]

From the News.com.com link in the topic:

Microsoft is also using the Windows Server 2003 SP1 code base as the starting point for the next desktop version of Windows, code-named Longhorn, which is slated to arrive next year.

Wasn't Longhorn supposed to originally be released this year? If they're going to use this service pack as a code base, they must be a long, long, long way off from a longhorn release . . .

329.3 MB Of What? Why The Monolithic Patches?

[EXTomar]

It is quite hefty but then this is what I expect from "Service Packs" especially in one giant chunk.

"Download time remaining: 22 minutes"

So now I'm chained to box since I suspect at some point I need to click something on some dialog to complete installation (this is an assumption but past history on other updates tells me I should watch the process to make sure it goes all the way through).

On the other hand I had to setup sever based off of FC3 yesterday and out of the box it required to download 450MBish of stuff broken into 150+ individual downloads. After installing the gpg keys, I started the update ('yum -y update') and walked away from it. Other systems have something that is just as easy and dare say fool proof.

I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.

Small Business Server 2003?

[kevinroyalty]

If you install this on SBS2003, do NOT run the new wizards - wait until SBS2003 SP1 is released in the next month or so.

Re:Small Business Server 2003?

[j0217995]

Why would you be installing this on SBS 2003? You would break more then its worth. SBS 2003 SP1 will help you out instead.

Service Packs for SBS are special due to ISA, SQL and everything else installed on it. A Windows 2003 Server service pack will cause more headaches for any SBS user. Just wait until MS gets it service pack uploaded

Posters Don't Know What to Bitch About

[xxxJonBoyxxx]

The usual security complaints about Microsoft OS's are that:
1) They are easy to crack remotely with default installs.
2) Weekly if not daily patches are required.

So, Microsoft comes out with SP1 and people are already whining.
1) What is the "no inbound connections by default" stuff going to help?
2) The length of time between Windows 2003's release and its first service pack.

C'mon people, put it together.

how did a blatant liar get modded up?

This is beta software and not part of Windows Update. There's literally NO WAY it could have been automatically downloaded and installed: it must be manually downloaded and then explicitly installed.

Slashbots are morons for a) believing this troll and b) modding it up.

Re:how did a blatant liar get modded up?

[LABob]

Mod parent up!!! I have 3 W2K3 server (all of which have auto updates enabled) and NONE of them automatically downloaded and installed it. This is the same FUD we heard/hear about XP SP2... let me say it once more loud and clear:

Automatic Updates does not install service packs. It will download them, but it has never and will never install them. They have a EULA that must be accepted, disclaimers that must be clicked through, etc. Stop spreading lies about Automatic Update. The people spreading this crap are a) Lying or b) Stupid or c) All of the above

Re:We just got BSOD

[The+Jonas]

How did it "automagically" deploy on your box when MS isn't putting it on Windows Update until July? It can only be manually downloaded until then.

It is available through Windows Update right now. I don't know if it will work through Automatic Updates, but if you manually activate Windows Update the scan results page will inform you that it is one of the "Critical Updates and Service Packs".

Re:Just once ...

[xxxJonBoyxxx]

"I understand that OSes are probably the most complex bit of software written but the idea of a release occuring while the dev team then immediately starts patching is a bit off putting."

The open-source world must scare you shitless then. A lot of those projects have a release-of-the-day or release-of-the-week...

Netbooting Windows with tftp in SP1!

[thule]

According to these links, Microsoft has finally figured out how Linux boots with tftp:
BartPE using PXE
Booting Windows from a Debian box
It's nice to see Microsoft pick this up. Booting Windows with standard tools, what a concept!
I'm sooooo spoiled with anaconda kickstarts... can Microsoft make deploying servers as easy as RedHat/Fedora?

Re:"beta version of Longhorn Server later this yea

[_the_bascule]

I had a pranoid thought the other day. It seems that the MS policy for supporting products runs for about 5 years. Support for 2K pro was dropped earlier this year. XP was first released in May 2001, longhorn May 2006. Is this the forthcoming strategy for the forced upgrades the we all know and love?

Re:Free update ?

[varmittang]

Oh, you will be suprised at what I get asked to do, and this is from business people with more money to spare than I do. "Hey, can you crack this software for me?" "Can't I just load this one copy on all the machines?" So many times I have to stick my neck out and say I can't do that, or that we need to buy more licenses. With that I get an angry face and a huff from them because I didn't want to compromise myself to save them a couple bucks. I became the IT manager of this company months ago and I'm still trying to fingure out if all our installs of MS Office are ligit or not, since the company didn't keep a record of anything, not even the disks that came with the PCs.

LAND attack?

[maztuhblastah]

Anyone know if it's still vulnerable to the old LAND attack?

-maztuh

Re:Fails the "Stuff that Matters" test

[xxxJonBoyxxx]

"Fails the Stuff that Matters test"

Unless you're an introverted cubicle-minion who gets away dealing only with a narrow set of *nix or mainframe applications (which never talk to Windows boxes), I would think Win2K3sp1 is news.

Another way to look at is that Slashdot will happily post the latest release of "NotReallyNecessaryUtility 0.3 Beta" as news...

Security Configuration Wizard (SCW) for XP?

[scupper]

Hey, why aren't they rolling out a paired down version of Security Configuration Wizard (SCW) for XP?

The "Security Center" on XP is pretty cheesy, didn't even include an updated MBSA until a couple months after XP sp2 was released. Most folks won't dig into using the Local Security Policy snap-in or Security Configuration and Analysis snap-in, or fiddle with changing their template.

Re:I'm impressed

[SilentChris]

"I'm really at a loss of words to describe this brilliance.
Just think of it, closing all open ports from incoming traffic by default now. Wow. Why didn't anyone else come up with this great idea before?"

It's not what you're thinking of - I don't think you're getting it. This isn't a firewall that gets turned on. Rather, the user can't do anything on the network until the system is up-to-date. It basically sandboxes the user from all internet traffic but the update site. I don't know of a single other OS that does this.

Re:Holy Crap

[Red+Pointy+Tail]

It could be that many libraries were completely re-compiled with a better compiler that automatically closes some holes (like data overflows), so the whole shebang needs to be reapplied, even if there were actually no code changes.

Mod Parent Down, Uninformed

[Steven+Gray+(Pulse+U]

The size is because the entire of the core services set has been recompiled to use the XP-SP2 Data-Execution prevention technology, which allows for NX support in all applications with appropriate hardware, and a further emulated NX feature that covers the core services infrastructure regardless of CPU platform. This doesnt require most applications to be recompiled, because most of the changes have occured behind the Hardware abstraction that all Windows applications are coded for.

Re:Holy Crap

[optimus2861]

Punting the mod points...

This is different from Linux packages how, though? RPM doesn't do deltas. DEB doesn't do deltas. Every time there's a patch to one piece of the kernel, you have to download the entire kernel package again. Mandrake 10.1 has gone through at least three full RPM releases of KDE 3.2 for bugfixes -- that's not a fun set of downloads, let me tell you.

It's a valid criticism for everyone, not just MS.

Re:Holy Crap

[SteveX]

If some of the security updates are related to compiling with different options (like the buffer overflow detection changes Visual C++ has been making), then every binary would be affected.

Re: Microsoft Releases Windows Server 2003 SP1

[ClubStew]

Who said it's insecure out of the box? I realize this is /. - one big, happy bandwagon - but serious try using it and reading about it. All unnecessary services are shutdown and not even IIS is installed by default (unless you get the web edition of 2003).

Re:"beta version of Longhorn Server later this yea

[scupper]

mainstream support for 2k pro and server expires on June 30, 2005. They're supposed to release an Update Rollup pretty soon, instead of a full blown (bloat) service pack 5. I'm guessing it'll come out around the end of May, beginning of June.

I was just reading about WinFS being back-ported to XP and 2k3 server. Dunno, but that seems like we won't be herded into upgrades as forcefully as it initially appeared before indigo and avalon were backported.

Re:heh

[chrisopherpace]

You can disable it.....

Apply Windows 2000 Default Internet Explorer Security Settings
If Internet Explorer Enhanced Security Configuration is enabled on your server, you may decide to use the default Internet Explorer security settings used by Windows 2000.

To do this, follow these steps:
1. Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
2. Select Internet Explorer Enhanced Security Configuration, click to clear the selection, and then click OK.
3. Click Next, and then click Finish.
4. Restart Internet Explorer to apply the changes.

Re:heh

[AKAImBatman]

Which is what most people do. Which enhances security... how again? It's really a stupid way of "securing" a Windows machine, because it really amounts to nothing more than a nag screen telling you to not click on anything or the boogeyman is going to get you. :-/

Considering that the only reason why you need a web browser on a server is for troubleshooting and patch downloads, then disabling browser plugins, disabling auto-file open/external URL handlers, and removing ActiveX support should do the trick nicely.

In other news..

[c0ldfusi0n]

Microsoft acknowledge January patch for 98/ME is flawed. Surprise!!

What are you on about?

[Inoshiro]

"Every time there's a patch to one piece of the kernel, you have to download the entire kernel package again. "

Last time I looked at ftp.kernel.org, there were lots of nice patches in the /pub/linux/kernel/v2.6 directory. It's how I've been updating my 2.6 since I first downloaded it at 2.6.4. cat ../patch-2.6.N | patch -p1 -E && make oldconfig does wonders.

Some of the deltas are large (a couple mb), but nothing like the size of a full kernel download.

Clicky

[abb3w]

Does it still require an activation code of some kind or not ?

First, last I checked none of Microsoft's patches required sending an activation code yet in order to download; so far, they're just asking very nicely (for a corporate behemoth)-- you could still say no and download any of them.

Second, for this service pack Billy Boy doesn't even ask; just go to the URL given in the story, click the button and download. Or, just download directly once someone provides the karma-whoring direct file link for you.

I presume, of course, you're not silly enough to be asking if Win2K3Srv still requires a key to install in the first place....

Re: Microsoft Releases Windows Server 2003 SP1

[highcon]

Why other companies haven't thought about this, I have no idea

What other companies make "server" software that allows someone to configure something without understanding what they are doing? I'm assuming the other companies you are talking about are all *nix vendors of some sort, and they don't have the same incidence of their customers plugging unpatched boxes into live, unfiltered networks.

Re:Free update ?

[quantum+bit]

Are you kidding? 2k3 server makes for a far better desktop than XP. All the annoying crap is off by default.

No bubbly playskool theme. No MSN Messenger popups. No product activation. No "take the tour!". No windows media player intruding into everything. IE is crippled by default -- ripe for Firefox installation.

It feels a lot more like if you took 2000 Pro and added the few GOOD things about XP.

Re:Free update ?

[operagost]

If you bought licenses through a volume-licensing agreement, you may be able to at least get your vendor to look up your authorization codes.

Re: Microsoft Releases Windows Server 2003 SP1

[Albio]

I'm a little "meh" about the "security configuration wizard" (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

That's not always true. A wizard that quickly macros something you were going to do anyways sounds like a great idea.

SP1 Now I Can Install!

[camliner]

Actually... there are a lot of Sys Admins that still will not even think about upgrading their server OS until SP1 comes out.

Re:SP1 Now I Can Install!

[xgamer04]

And for good reason! I don't think many mission-critical servers should be upgraded the moment a new system version comes out (ex: linux kernel 2.6.0)

Early Adopters get busy

[thilde]

Ok Microserfs

Times a waste'n
Install that service pack so we can get past the debugging phase and to the part where I might consider applying this thing to my servers.

Re:329.3 MB Of What? Why The Monolithic Patches?

[nachoboy]

I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.

This is exactly what they do. The large 300+ MB download is designed for network administrators who want to download the whole thing to apply to multiple machines. If you're just going to be updating a single machine, use Windows Update to get SP1. It uses a smart installer to only download the pieces you need (typically one-third to one-half the size of the full update).