In praise of Windows 2003 SP1
Comment Usually I get to use this space to complain about Microsoft's poor security practices, but not this time -- with last week's release of Windows 2003 Service Pack 1, this time they get praise. After eighteen months of beta testing, Service Pack 1 (SP1) is now publicly available and loaded with security enhancements. I thought I'd mention some of my own favorites here.
The most important security improvement I noticed right off was the significant shift of attitude towards security. Microsoft's technical overview of SP1 begins with several honest admissions. The document openly acknowledges the "customer pain centered on server security." They also confess that, "Update management?is too complex and too labor intensive" and that "customers must painstakingly test the updates to verify that they do not interfere with mission critical systems."
The document also states that the current approach to Windows security "often delivers too little security too late for many Windows Server 2003 customers," adding that, "This situation is simply untenable."
I was quite shocked. No justifications, no defensiveness, no blaming, and no marketing fluff. They simply concede that they had problems and now offer some reasonable fixes.
A long-awaited security update is the more secure Internet Explorer that, up to now, was only available on Windows XP SP2. This update includes numerous security fixes, including better add-on management, better group policy support, pop-up blocking, local machine zone lockdown, and many others. Sure, exposure to IE problems on a server is much less common, but it's still nice having the more secure IE on there.
In my last column, I complained about Windows firewalls. While the new Windows Firewall still isn't quite what I was hoping for, it nevertheless has many new welcome features. Like the firewall in Windows XP SP2, it offers boot-time protection, global configuration, audit logging, better group policy integration, command-line support, and many other cool features. It still lacks in some areas, such as controlling outgoing traffic, but at least it provides easy protection for even the most novice users.
Post-setup security updates
At one time, this was so common it was almost funny: people installed Windows and before they could download all the latest security updates, they were already infected by a host of worms that had them actively attacking other Internet hosts. In some cases, even being behind a firewall wasn't sufficient enough protection.
That just might now be a problem of the past. SP1-integrated Windows installations will now allow you to block all inbound network connections until you finish installing the latest security updates and configure the automatic updates feature. This is a good reason to go ahead and build those SP1-integrated installations rather than installing Windows then rebooting to install SP1.
RPC and DCOM security
Although there have been several issues with RPC and DCOM security, these technologies certainly have not been exploited to the extent they could have been. Fortunately, these interfaces were complicated enough for them to avoid widespread attention, but the potential was huge. Until now, hardening these services was mostly undocumented, and many techniques were highly experimental. Even with all our best efforts, it still was largely insufficient.
SP1 adds several features to better manage and control access to RPC and DCOM services. Computer wide restrictions and the ability to disable the incoming call, activation and launch requests gives an administrator much more control over DCOM access. There is also a new RestrictRemoteClients registry key to completely block remote, anonymous RPC access on the system. The new Windows Firewall also offers better RPC support that provides more intelligent and granular control over RPC services.
Data execution prevention
SP1's new Data Execution Prevention (DEP) feature lets Windows take advantage of hardware technologies that prevent code execution in non-executable memory locations. This greatly limits exposure to those all-too-common buffer overflow attacks.
In addition to the hardware support, SP1 also provides software-enforced DEP to protect certain Windows system binaries.
Security configuration wizard
The new SP1 Security Configuration Wizard (SP1) makes it much easier to lock down a server without requiring too much security knowledge. The wizard makes suggestions based on your current configuration and specified server roles, and it takes out much of the guesswork and hassle of enabling and disabling system services. Even if you use a custom or more complex hardening method, the SCW can simplify the procedure. The SCW stores its configuration using standard XML files so you can easily customize it for your own needs.
One of my own personal favorites is the hot patching feature that allows you to patch your system binaries even if they are currently in use. By actually patching the binaries in memory, this new feature will significantly reduce the number of reboots required for hotfixes. You will still need to reboot after updating kernel-level binaries, but as always, the fewer reboots the better.
SP1 includes all previous security updates and undoubtedly includes thousands of other fixes that they never announced publicly. This service pack is significant a deliverable on Microsoft's Trustworthy Computing initiative and does a great job at improving system security. It reduces the attack surface, better supports the concept of least privilege, and implements a number of proactive security strategies.
What else can I say? No complaints this month, I'm impressed.
Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle.
Sponsored: Are DLP and DTP still an issue?