6 Key Security Improvements in Windows Server 2003 SP1
- By Scott Bekker
- February 14, 2005
Most Microsoft service packs have a lot to do with security. They gather the security, performance and compatibility hotfixes produced since the last full release or service pack. The fixes are tested together as a full package, providing for better reliability than applying the hotfixes individually.
With Microsoft's delivery cycle for major operating systems stretching out, however, the company is making the service pack the main way it ships new security features, as well. The main example is Windows XP Service Pack 2, released last August. SP2 brought a new firewall and a host of improvements to Internet Explorer and Outlook Express.
The Windows Server 2003 SP1 project is part of the same initiative as Windows XP SP2. Called "Springboard," the initiative improves the base security of Microsoft's installed base, without requiring customers to spend more. The client came first because the situation was far more critical on that side of the Windows platform. Servers are presumably configured more securely in the first place and used less promiscuously than clients.
Windows Server 2003 also had a head start on Windows XP. The server OS was the first subjected to a Trustworthy Computing code review before its release. The results occasionally show up in Microsoft security bulletins, when Windows Server 2003 is less vulnerable to certain security flaws than Windows XP even with SP2 applied.
|SPONSOR: Hit Spyware. Hard! With CounterSpy Enterprise.
For the enterprise, retooled consumer antispyware tools won't
cut it. Meet CounterSpy Enterprise: the ONLY antispyware product
with three threat database update sources: Microsoft, ThreatNet,
and internal research. CounterSpy Enterprise has policy-based
deployment, AD support and a solid Admin Console with easy
Try it FREE for 15 days!
Nonetheless, everything can use a security tune-up and Microsoft has several tweaks for Windows Server 2003 this time. With a second Release Candidate posted last week, Microsoft is getting very close to general availability of Windows Server 2003 SP1. Much of the technical documentation for the service pack is now available.
"Service Pack 1 dramatically shrinks the attack surface of Windows Server 2003. Not only does it reactively address known security holes via updates, it sets up customers to proactively face future security threats," Microsoft says in its documentation.
Microsoft's documentation reveals six key security investments in Windows Server 2003 SP1 that make the service pack a vital security addition to the Windows Server 2003 systems on your network.
Security Configuration Wizard
The most interesting feature in Microsoft's SP1 security enhancements is the Security Configuration Wizard (SCW). Like a packaged "best practices" tool, SCW presents a user with a list of potential server roles then locks down the server to support only that role. Microsoft originally hoped to ship the functionality in the summer of 2003.
The list in the wizard includes more than 50 different server roles, including SQL Server, Exchange Server, BizTalk Server and a cluster server. SCW disables services and IIS Web extensions; blocks unused ports; secures remaining ports using IPSec; reduces protocol exposure for LDAP, LAN Manager and server message block (SMB); configures audit settings; and imports Windows security templates for settings not configured by the wizard.
SCW also supports rollback to the server's pre-SCW state, analysis to confirm servers comply with expected policies, remote access, command-line administration, Active Directory and editing of security policies.
The Windows Firewall is the biggest -- and most disruptive -- feature of Windows XP SP2. The overhauled version of the Internet Connection Firewall is also being included in Windows Server 2003 with SP1, although Microsoft reasonably doesn't expect the firewall to be as widely used in the server. Unlike in SP2, the new firewall is off by default in Windows Server 2003 SP1. However, the firewall enables one of the key security improvements in SP1 …
Post-Setup Security Updates
The Windows Firewall is used to support a feature called "Post-Setup Security Updates (PSSU). With recent studies showing that computers connected to the public Internet can be attacked within an average of a little over 20 minutes, Microsoft is using SP1 to make sure servers aren't exposed that long during initial setup. PSSU covers servers during the vulnerable time between a clean install and configuration of an enterprise firewall and download of the latest security updates.
SP1 uses the Windows Firewall to block all inbound connections to the server until Windows Update delivers the latest security updates to the new server. Windows Firewall is then turned off unless the user selects to enable it. In addition to managing the firewall during installation, PSSU also walks administrators through configuring Automatic Updates.
Network Access Quarantine Control Components
Microsoft is dribbling out a few more pieces of its quarantining technologies in SP1. Quarantining allows administrators to block clients, especially laptops and other occasionally connected systems, from having full access to the network until they prove they have the latest patches, anti-virus signatures and security policies in place. It will take several releases, including R2 and Longhorn, for Microsoft to roll out its entire quarantining infrastructure, but a few more pieces are coming in SP1. The pieces in SP1 are the Rqs.exe and Rqc.exe components, which Microsoft says will make deployment of Network Access Quarantine Control easier.
Support for "No Execute" Hardware
Intel and Advanced Micro Devices built functionality into hardware to prevent malicious code from launching attacks from areas of computer memory that shouldn't be running code. Like XP SP2, Windows Server 2003 SP1 adds software support for such so-called "no execute" hardware. The effort cuts off the common category of overflow attacks, where an attacker overruns a stack or buffer with commands. The feature applies to 32-bit and 64-bit systems.
Stronger Defaults and Privilege Reduction
A major part of the Trustworthy Computing code review before Windows Server 2003 came out was an insistence on stronger defaults and privilege reduction on services.
Microsoft continued that work for the release of SP1, with a focus on RPC and DCOM. "Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves," Microsoft's documentation says.
A Necessary Upgrade
Windows Server 2003 SP1, which had already been downloaded in its RC1 form for evaluation 86,000 times by the end of January, will be more than a security update. It will form the technical foundation for much of Microsoft's remaining 2005 server roadmap -- including the x64 editions of Windows and the "R2" release of Windows Server 2003.
But the security improvements are without a doubt the best reason to evaluate and deploy this massive set of fixes.
For more information, follow this link to Microsoft's Technical Preview Program.