In praise of Windows 2003 SP1

Reasonable fixes

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Comment Usually I get to use this space to complain about Microsoft's poor security practices, but not this time -- with last week's release of Windows 2003 Service Pack 1, this time they get praise. After eighteen months of beta testing, Service Pack 1 (SP1) is now publicly available and loaded with security enhancements. I thought I'd mention some of my own favorites here.

Attitude shift

The most important security improvement I noticed right off was the significant shift of attitude towards security. Microsoft's technical overview of SP1 begins with several honest admissions. The document openly acknowledges the "customer pain centered on server security." They also confess that, "Update management?is too complex and too labor intensive" and that "customers must painstakingly test the updates to verify that they do not interfere with mission critical systems."

The document also states that the current approach to Windows security "often delivers too little security too late for many Windows Server 2003 customers," adding that, "This situation is simply untenable."

I was quite shocked. No justifications, no defensiveness, no blaming, and no marketing fluff. They simply concede that they had problems and now offer some reasonable fixes.

IE secured

A long-awaited security update is the more secure Internet Explorer that, up to now, was only available on Windows XP SP2. This update includes numerous security fixes, including better add-on management, better group policy support, pop-up blocking, local machine zone lockdown, and many others. Sure, exposure to IE problems on a server is much less common, but it's still nice having the more secure IE on there.

The firewall

In my last column, I complained about Windows firewalls. While the new Windows Firewall still isn't quite what I was hoping for, it nevertheless has many new welcome features. Like the firewall in Windows XP SP2, it offers boot-time protection, global configuration, audit logging, better group policy integration, command-line support, and many other cool features. It still lacks in some areas, such as controlling outgoing traffic, but at least it provides easy protection for even the most novice users.

Post-setup security updates

At one time, this was so common it was almost funny: people installed Windows and before they could download all the latest security updates, they were already infected by a host of worms that had them actively attacking other Internet hosts. In some cases, even being behind a firewall wasn't sufficient enough protection.

That just might now be a problem of the past. SP1-integrated Windows installations will now allow you to block all inbound network connections until you finish installing the latest security updates and configure the automatic updates feature. This is a good reason to go ahead and build those SP1-integrated installations rather than installing Windows then rebooting to install SP1.

RPC and DCOM security

Although there have been several issues with RPC and DCOM security, these technologies certainly have not been exploited to the extent they could have been. Fortunately, these interfaces were complicated enough for them to avoid widespread attention, but the potential was huge. Until now, hardening these services was mostly undocumented, and many techniques were highly experimental. Even with all our best efforts, it still was largely insufficient.

SP1 adds several features to better manage and control access to RPC and DCOM services. Computer wide restrictions and the ability to disable the incoming call, activation and launch requests gives an administrator much more control over DCOM access. There is also a new RestrictRemoteClients registry key to completely block remote, anonymous RPC access on the system. The new Windows Firewall also offers better RPC support that provides more intelligent and granular control over RPC services.

Data execution prevention

SP1's new Data Execution Prevention (DEP) feature lets Windows take advantage of hardware technologies that prevent code execution in non-executable memory locations. This greatly limits exposure to those all-too-common buffer overflow attacks.

In addition to the hardware support, SP1 also provides software-enforced DEP to protect certain Windows system binaries.

Security configuration wizard

The new SP1 Security Configuration Wizard (SP1) makes it much easier to lock down a server without requiring too much security knowledge. The wizard makes suggestions based on your current configuration and specified server roles, and it takes out much of the guesswork and hassle of enabling and disabling system services. Even if you use a custom or more complex hardening method, the SCW can simplify the procedure. The SCW stores its configuration using standard XML files so you can easily customize it for your own needs.

Hot patching

One of my own personal favorites is the hot patching feature that allows you to patch your system binaries even if they are currently in use. By actually patching the binaries in memory, this new feature will significantly reduce the number of reboots required for hotfixes. You will still need to reboot after updating kernel-level binaries, but as always, the fewer reboots the better.

SP1 includes all previous security updates and undoubtedly includes thousands of other fixes that they never announced publicly. This service pack is significant a deliverable on Microsoft's Trustworthy Computing initiative and does a great job at improving system security. It reduces the attack surface, better supports the concept of least privilege, and implements a number of proactive security strategies.

What else can I say? No complaints this month, I'm impressed.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle.

Related stories

Where, oh where, is my Windows firewall?
Microsoft RTMs Windows Server 2003 SP1
MS and security: good effort but no cigar

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.