Feeds

In praise of Windows 2003 SP1

Reasonable fixes

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Comment Usually I get to use this space to complain about Microsoft's poor security practices, but not this time -- with last week's release of Windows 2003 Service Pack 1, this time they get praise. After eighteen months of beta testing, Service Pack 1 (SP1) is now publicly available and loaded with security enhancements. I thought I'd mention some of my own favorites here.

Attitude shift

The most important security improvement I noticed right off was the significant shift of attitude towards security. Microsoft's technical overview of SP1 begins with several honest admissions. The document openly acknowledges the "customer pain centered on server security." They also confess that, "Update management?is too complex and too labor intensive" and that "customers must painstakingly test the updates to verify that they do not interfere with mission critical systems."

The document also states that the current approach to Windows security "often delivers too little security too late for many Windows Server 2003 customers," adding that, "This situation is simply untenable."

I was quite shocked. No justifications, no defensiveness, no blaming, and no marketing fluff. They simply concede that they had problems and now offer some reasonable fixes.

IE secured

A long-awaited security update is the more secure Internet Explorer that, up to now, was only available on Windows XP SP2. This update includes numerous security fixes, including better add-on management, better group policy support, pop-up blocking, local machine zone lockdown, and many others. Sure, exposure to IE problems on a server is much less common, but it's still nice having the more secure IE on there.

The firewall

In my last column, I complained about Windows firewalls. While the new Windows Firewall still isn't quite what I was hoping for, it nevertheless has many new welcome features. Like the firewall in Windows XP SP2, it offers boot-time protection, global configuration, audit logging, better group policy integration, command-line support, and many other cool features. It still lacks in some areas, such as controlling outgoing traffic, but at least it provides easy protection for even the most novice users.

Post-setup security updates

At one time, this was so common it was almost funny: people installed Windows and before they could download all the latest security updates, they were already infected by a host of worms that had them actively attacking other Internet hosts. In some cases, even being behind a firewall wasn't sufficient enough protection.

That just might now be a problem of the past. SP1-integrated Windows installations will now allow you to block all inbound network connections until you finish installing the latest security updates and configure the automatic updates feature. This is a good reason to go ahead and build those SP1-integrated installations rather than installing Windows then rebooting to install SP1.

RPC and DCOM security

Although there have been several issues with RPC and DCOM security, these technologies certainly have not been exploited to the extent they could have been. Fortunately, these interfaces were complicated enough for them to avoid widespread attention, but the potential was huge. Until now, hardening these services was mostly undocumented, and many techniques were highly experimental. Even with all our best efforts, it still was largely insufficient.

SP1 adds several features to better manage and control access to RPC and DCOM services. Computer wide restrictions and the ability to disable the incoming call, activation and launch requests gives an administrator much more control over DCOM access. There is also a new RestrictRemoteClients registry key to completely block remote, anonymous RPC access on the system. The new Windows Firewall also offers better RPC support that provides more intelligent and granular control over RPC services.

Data execution prevention

SP1's new Data Execution Prevention (DEP) feature lets Windows take advantage of hardware technologies that prevent code execution in non-executable memory locations. This greatly limits exposure to those all-too-common buffer overflow attacks.

In addition to the hardware support, SP1 also provides software-enforced DEP to protect certain Windows system binaries.

Security configuration wizard

The new SP1 Security Configuration Wizard (SP1) makes it much easier to lock down a server without requiring too much security knowledge. The wizard makes suggestions based on your current configuration and specified server roles, and it takes out much of the guesswork and hassle of enabling and disabling system services. Even if you use a custom or more complex hardening method, the SCW can simplify the procedure. The SCW stores its configuration using standard XML files so you can easily customize it for your own needs.

Hot patching

One of my own personal favorites is the hot patching feature that allows you to patch your system binaries even if they are currently in use. By actually patching the binaries in memory, this new feature will significantly reduce the number of reboots required for hotfixes. You will still need to reboot after updating kernel-level binaries, but as always, the fewer reboots the better.

SP1 includes all previous security updates and undoubtedly includes thousands of other fixes that they never announced publicly. This service pack is significant a deliverable on Microsoft's Trustworthy Computing initiative and does a great job at improving system security. It reduces the attack surface, better supports the concept of least privilege, and implements a number of proactive security strategies.

What else can I say? No complaints this month, I'm impressed.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle.

Related stories

Where, oh where, is my Windows firewall?
Microsoft RTMs Windows Server 2003 SP1
MS and security: good effort but no cigar

Build a business case: developing custom apps

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.