Slashdot Mirror
Microsoft Releases Windows Server 2003 SP1
Masq666 writes "Microsoft has wrapped up development on the first major update to its Windows Server 2003 operating system and released it for download, The company said that Windows Server 2003 Service Pack 1 is currently available for download via Microsoft's site and will soon start showing up on new servers. Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2. News.com.com has more details and commentary."
I've been using the latest RC as a desktop OS for a while, and it's pretty good; it does have some issues with Steam, but then again, it's not meant to be a gaming OS, just a server OS.
All in all, though, it's damn stable and secure as is, and it's pretty responsive.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
OK, I am not a Windows Server 2003 admin, but is it just me, or is it really odd that Microsoft is just now including a firewall?
If you don't know what AltaVista is (was), get off my lawn.
So what is "later this year" in Microsoft time?
This?
http://www.winsupersite.com/showcase/longhorn_pre
Longhorn Milestone 9 (M9) and platform complete
March 2005
Longhorn Beta 1
Late May 2005
Longhorn Beta 2
October 2005
Longhorn Release Candidate 0 (RC0)
Late February 2006
Longhorn Release Candidate 1 (RC1)
April 2006
Longhorn release to manufacturing (RTM)
May 24, 2006
In all seriousness, I definitely like the new "PSSU" (Post-Setup Security Updates) feature. Awful name, but it does the following when someone first installs Windows 2003:
1.) Blocks all incoming traffic.
2.) Immediately guides the first person who logs on through downloading updates.
This would be such a terrific blessing for new XP users: block traffic and immediately send them off to the update site. Excellent idea.
Enhancements
In addition to finding and updating security holes before hackers can exploit them, Service Pack 1 includes improvements to functionality that originally shipped with Windows Server 2003. Such enhancements make a great product better and raise the security, reliability, and productivity of Windows Server 2003. Below are brief descriptions of some of the key enhancements included in Service Pack 1:
Stronger defaults and privilege reduction on services--Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves.
Support for "no execute" hardware--Service Pack 1 allows Windows Server 2003 to utilize functionality built in to computing hardware, from companies such as Intel and Advanced Micro Devices, to prevent malicious code from launching attacks from areas of computer memory that should have no code running in it. For both 32-bit and 64-bit systems, this enhancement closes the door on one of the broadest and most exploited avenues of information attack.
Network Access Quarantine Control components included--Windows Server 2003 SP1now includes the Rqs.exe and Rqc.exe components to make deployment ofNetwork Access Quarantine Control easier. For more information, see Network Access Quarantine Control in Windows Server 2003.
IIS 6.0 metabase auditing--The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services (IIS) 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted.
New features
Microsoft is taking the opportunity afforded by the release of Service Pack 1 to introduce powerful new functionality to Windows Server 2003.
Windows Firewall--Also released with Windows XP Service Pack 2, Windows Firewall is the successor of the Internet Connection Firewall. Windows Firewall is a host (software) firewall, a firewall around each client and server computer on a customer's network. Unlike Windows XP Service Pack 2, the Windows Firewall is off by default on Server 2003 Service Pack 1, and must be turned on to begin protecting systems. The Windows Firewall is enabled for a brief time during Service Pack 1 clean installs for the duration of the new Post-Setup Security Updates portion of setup.
Post-Setup Security Updates (PSSU)--Servers are vulnerable in the time between initial installation and having the latest security updates applied. To counter this, Windows Server 2003 with Service Pack 1 uses Windows Firewall to block all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer. After updating, Windows Firewall is turned off until it is configured for server roles. PSSU also guides users through immediate configuration of Automatic Updates.
Security Configuration Wizard (SCW)--SCW is a wizard that configures server security based upon existing server roles. SCW asks questions about server roles and then stops all services not necessary to perform those roles. SCW will not add roles, but will configure the server around the roles it performs. Like boarding-up unused doors, this new feature helps reduce the attack surface of Windows Server 2003.
True, but they have a few excellent ideas in there. I'm a little "meh" about the "security configuration wizard" (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.
The PSSU feature, though (as I mentioned in another post), that blocks incoming traffic on first boot and immediately directs the user to download updates is awesome. Why other companies haven't thought about this, I have no idea. I really hope this gets put into the next consumer version of Windows.
IMHOP, the more interesting tidbit from this article is the info that XP 64-bit should go on sale next month :-) As the proud owner of 2 athlon 64's, that's actually something I would want to know about....
sometimes, i wonder if i'm the only conservative on teh intarweb. ah well, back to mah hogs and warmongerin'....
It is quite hefty but then this is what I expect from "Service Packs" especially in one giant chunk.
"Download time remaining: 22 minutes"
So now I'm chained to box since I suspect at some point I need to click something on some dialog to complete installation (this is an assumption but past history on other updates tells me I should watch the process to make sure it goes all the way through).
On the other hand I had to setup sever based off of FC3 yesterday and out of the box it required to download 450MBish of stuff broken into 150+ individual downloads. After installing the gpg keys, I started the update ('yum -y update') and walked away from it. Other systems have something that is just as easy and dare say fool proof.
I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.
1) They are easy to crack remotely with default installs.
2) Weekly if not daily patches are required.
So, Microsoft comes out with SP1 and people are already whining.
1) What is the "no inbound connections by default" stuff going to help?
2) The length of time between Windows 2003's release and its first service pack.
C'mon people, put it together.
This is beta software and not part of Windows Update. There's literally NO WAY it could have been automatically downloaded and installed: it must be manually downloaded and then explicitly installed.
Slashbots are morons for a) believing this troll and b) modding it up.
It could be that many libraries were completely re-compiled with a better compiler that automatically closes some holes (like data overflows), so the whole shebang needs to be reapplied, even if there were actually no code changes.
The size is because the entire of the core services set has been recompiled to use the XP-SP2 Data-Execution prevention technology, which allows for NX support in all applications with appropriate hardware, and a further emulated NX feature that covers the core services infrastructure regardless of CPU platform. This doesnt require most applications to be recompiled, because most of the changes have occured behind the Hardware abstraction that all Windows applications are coded for.
Regards,
-Steven Gray
-Technical Director, Pulse Unsigned
This is different from Linux packages how, though? RPM doesn't do deltas. DEB doesn't do deltas. Every time there's a patch to one piece of the kernel, you have to download the entire kernel package again. Mandrake 10.1 has gone through at least three full RPM releases of KDE 3.2 for bugfixes -- that's not a fun set of downloads, let me tell you.
It's a valid criticism for everyone, not just MS.
If some of the security updates are related to compiling with different options (like the buffer overflow detection changes Visual C++ has been making), then every binary would be affected.
Are you kidding? 2k3 server makes for a far better desktop than XP. All the annoying crap is off by default.
No bubbly playskool theme. No MSN Messenger popups. No product activation. No "take the tour!". No windows media player intruding into everything. IE is crippled by default -- ripe for Firefox installation.
It feels a lot more like if you took 2000 Pro and added the few GOOD things about XP.