Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software IT

Microsoft Releases Windows Server 2003 SP1 371

Masq666 writes "Microsoft has wrapped up development on the first major update to its Windows Server 2003 operating system and released it for download, The company said that Windows Server 2003 Service Pack 1 is currently available for download via Microsoft's site and will soon start showing up on new servers. Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2. News.com.com has more details and commentary."
This discussion has been archived. No new comments can be posted.

Microsoft Releases Windows Server 2003 SP1

Comments Filter:
  • by dolo666 ( 195584 ) on Thursday March 31, 2005 @10:20AM (#12099946) Journal
    First new and improved script-kiddie exploits available in 3...2..1...
    • by SilentChris ( 452960 ) on Thursday March 31, 2005 @10:26AM (#12100012) Homepage
      True, but they have a few excellent ideas in there. I'm a little "meh" about the "security configuration wizard" (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

      The PSSU feature, though (as I mentioned in another post), that blocks incoming traffic on first boot and immediately directs the user to download updates is awesome. Why other companies haven't thought about this, I have no idea. I really hope this gets put into the next consumer version of Windows.
      • (personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

        [sarc]
        But wizards help to let everyone have a server. Its the logical follow up to having spelling and grammar checking in your software. Pretty soon, you won't need to learn about anything to administer a windows cluster. Heck, you won't even need a mouse or schooling. Just a microphone, voice recognition software and that MIT metaphor software. You'll just growl at your compute
      • if you're using a wizard to configure security you probably shouldn't be admining a server in the first place.

        I disagree that the primary message is that the user is incompetent. If your server insecure out of the box in such simple ways that they can be fixed using a security wizard, you're using the wrong operating system. This is a server OS, it makes no sense to have it be insecure by default.

      • personally, if you're using a wizard to configure security you probably shouldn't be admining a server in the first place
        Not necessarily. The point of a wizard is to standardize the interface so that it's easy to discover how to apply the settings. It doesn't make it any less important to understand what the settings do.

  • Intriguing. (Score:5, Informative)

    by Tuxedo Jack ( 648130 ) on Thursday March 31, 2005 @10:23AM (#12099977) Homepage
    I've been using the latest RC as a desktop OS for a while, and it's pretty good; it does have some issues with Steam, but then again, it's not meant to be a gaming OS, just a server OS.

    All in all, though, it's damn stable and secure as is, and it's pretty responsive.
  • by Tibor the Hun ( 143056 ) on Thursday March 31, 2005 @10:23AM (#12099978)
    OK, I am not a Windows Server 2003 admin, but is it just me, or is it really odd that Microsoft is just now including a firewall?

    • It does seem kind of odd, seeing as how most people running this will be behind a NAT device on a private LAN (office servers and such). This isn't a desktop OS, and it won't get treated like XP does.

      However, it doesn't hurt to turn it on and refuse all traffic until Windows Update has been visited.
    • You're right.

      I have a couple dedicated servers and my biggest beef with 2003 is that it didn't come with a built in software firewall. Not only that, decent 3rd party wares were/are hard to find and had "more than I needed". There are a couple strategies for protecting your interfaces such as using RRAS to nat all outgoing requests, and forward incoming ones, but for whatever reason is difficult to get working correctly.

      All in all a welcome update, but I'd like to know why it wasn't part of the original r
      • by Deviate_X ( 578495 ) on Thursday March 31, 2005 @10:52AM (#12100304)
        Well it did come with a firewall. As a fact the same firewall is supplied with every version of 2003 and XP:

        Windows Basic Firewall [microsoft.com]
        • Yes, but it doesn't work very well in an envronment with more than one IP address.
          • Great, now you've discoverd the firewall exists. Whats the problem with multiple IPs? You can easily set the access to specific ports by specific IP. Where's the problem?
            • Where's the problem?

              PEBCAK.

              Seriously though, why cry about a software firewall missing anyway? Anyone worth their weight in penguin poop uses a Cisco or other router to do alot of their dirty work for them. A software firewall is more like a last line of defense. I'd hate to see these guys running a group of servers in an average IT department. "No software firewall? Oh well! I'll just plug it into the t1 on it's public IP and away we go!"
            • LOL - have you tried this?

              NAT protects at the interface level. Port forwarding is also accomplished at the interface level. The "firewalling" can be done by setting up general port forwards for the interface, and specifying IP filters for address in the NAT pool. This is a "hack" as far as I'm concerned. Primarily because the NAT/Basic Firewall is mislabeled. It's NAT with port forwarding and an option to filter packets. This setup can end up acting like a firewall but it's difficult to setup, use and admi
      • So, are you just a linux user who has never touched 2003 server and like to bash MS, or are you an incompetent MS admin that gives the rest of them a bad name?

        Vanilla 2003 server. Control Panel --> Network Connections--> Local Area Connections --> Properties-->Advanced--> "INTERNET CONNECTION FIREWALL"

        Hmm, what do you know, a software firewall built into it.

        • Hmm what do you know, a marginal level of "firewalling".

          I should have had been a little more specific. I'm looking for a firewall from MS, at least on their server OS that has at least as much functionality as IP Chains or PF. The NAT RRAS solution doesn't work very well - nor does the built in ICF.

          Thank you for playing, please try again.
      • by hkb ( 777908 ) on Thursday March 31, 2005 @11:26AM (#12100748)
        No, you're both wrong.

        2003 has always had a firewall, ICF. NT, since at least version 4.0 has always had a firewall, but unfortunately, it was wrapped in the "IPSec Policy" functionality at the time.

        I would expect a clueless MS basher to actually look before flaming, though.
      • I'm not a Microsoft cronie or advicate, but I also don't want people to be misinformed. Server 2003 DOES include a built in firewall by default, but at that same time it is turned off by default. Right click on the network connection's local area network icon -> click on properties -> and select the advanced tab.
    • by Anonymous Coward
      Windows Server (.NET, 2003 whatever) has had a firewall in it essentially since Windows NT, in the form of the IPSec services, which offer every bit as much functionality as IPTables.

      The XP family bundled IPSec into a simple wrapper called Windows firewall, which was expanded upon in SP2 to provide things like warnings etc, and it is this functionality that has been cross-ported to the Server line.

      Regards,

      -Steve Gray
    • by LurkerXXX ( 667952 ) on Thursday March 31, 2005 @11:04AM (#12100462)
      If you were a 2003 admin, you would know that the default vanilla 2003 server does indeed include a software firewall. Anyone who says it doesn't either has never used it, or is one of those paper MCSE types that has no actual working knowledge of how to admin a windows box, and never discovered the setup for it because it wasn't included in his cram course.
    • Is it me or does including a firewall make no sense on a server? If there are vulnerable services running by default, surely turning them off would acomplish the same thing with less effort for MS. If users are turning them on, they can just as easily disable the firewall, and deserve all they get. If there are flaws in the TCP stack itself it can't be too hard to fix them, and they can probably be exploited using the ports that are open because they are running services - that's why it's called server, rig
      • by crimoid ( 27373 ) on Thursday March 31, 2005 @11:47AM (#12101015)
        A local firewall will simply allow an administrator more control over who can access a system.

        Examples:

        You've got service "A" that you only want to allow connections from localhost.

        Service "B" you only want connections from your local LAN

        Service "C" you only want connections from one particular IP.

    • Windows 2003 pre-SP1 had a firewall. It was just like the one in Windows XP pre-SP2 (ie, not as robust).

      I haven't tried 2003 SP1 yet but I imagine it brings the firewall up to the functionality of the XP SP2 firewall.
  • by scupper ( 687418 ) * on Thursday March 31, 2005 @10:23AM (#12099979) Homepage
    The company also plans to have a beta version of Longhorn Server later this year.

    "That's our expectation," Price said.

    So what is "later this year" in Microsoft time?

    This?
    http://www.winsupersite.com/showcase/longhorn_prev iew_2005.asp [winsupersite.com]

    Longhorn Milestone 9 (M9) and platform complete
    March 2005

    Longhorn Beta 1
    Late May 2005

    Longhorn Beta 2
    October 2005

    Longhorn Release Candidate 0 (RC0)
    Late February 2006

    Longhorn Release Candidate 1 (RC1)
    April 2006

    Longhorn release to manufacturing (RTM)
    May 24, 2006
  • Brilliant idea (Score:5, Interesting)

    by SilentChris ( 452960 ) on Thursday March 31, 2005 @10:23AM (#12099980) Homepage
    In all seriousness, I definitely like the new "PSSU" (Post-Setup Security Updates) feature. Awful name, but it does the following when someone first installs Windows 2003:

    1.) Blocks all incoming traffic.
    2.) Immediately guides the first person who logs on through downloading updates.

    This would be such a terrific blessing for new XP users: block traffic and immediately send them off to the update site. Excellent idea.
    • Is this a required step? Because I know there are times when I need to go straight into the Windows GUI - such as installing drivers to get on the internet in the first place.
      • The only driver I think most people would need to install is ethernet, and that can come on a CD. I certainly don't know anyone that installs ethernet drivers on fresh boxes using the network (if you can, show me how to perform that magic ;) ).

        That said, what it'd probably do is show the new user dialog, go to the site and bail out. I haven't tested what happens when the network card isn't properly installed.
    • This would be such a terrific blessing for new XP users: block traffic and immediately send them off to the update site. Excellent idea.

      Luckily, this is exactly what happens when a user installs Windows XP SP2 on a system. The firewall is enabled by default and the system starts harassing you about automatic updates.

      • Not quite. During the boot procedure, all traffic is blocked, but while the opening user dialog is running for the first time, traffic is open. The user is also given a choice if the firewall is enabled or not. They're also given the choice to have Windows download updates or not. They can turn down both choices.

        In this new system, all traffic is blocked and the user is shuttled off to the Windows Update site. They can disable settings later if they want. This way, it's secure out of the box.
    • What do you expect from the company who's update server product was named "WUS" (Windows Update Services) up until recently (they changed it to "WSUS", so much better).

      But yeah, this is PSSU thing does sound like a pretty good idea. Surely this will make it into Longhorn.
    • There is already network hardware that will drop machines into a "sealed" network if they detect anything wrong. They will get a rude awakening when they suddenly can't surf to hotmail.com because they've been disconnected from the general network due to detection of bad traffic. But this stuff isn't exactly cheap.

      In any event, this might be a great idea for small install bases but if you have administer a number of machines this is not feasible. Having to remotely monkey with machine is enough of a bur
  • by Anonymous Coward on Thursday March 31, 2005 @10:24AM (#12099995)
    Enhancements

    In addition to finding and updating security holes before hackers can exploit them, Service Pack 1 includes improvements to functionality that originally shipped with Windows Server 2003. Such enhancements make a great product better and raise the security, reliability, and productivity of Windows Server 2003. Below are brief descriptions of some of the key enhancements included in Service Pack 1:

    Stronger defaults and privilege reduction on services--Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves.

    Support for "no execute" hardware--Service Pack 1 allows Windows Server 2003 to utilize functionality built in to computing hardware, from companies such as Intel and Advanced Micro Devices, to prevent malicious code from launching attacks from areas of computer memory that should have no code running in it. For both 32-bit and 64-bit systems, this enhancement closes the door on one of the broadest and most exploited avenues of information attack.

    Network Access Quarantine Control components included--Windows Server 2003 SP1now includes the Rqs.exe and Rqc.exe components to make deployment ofNetwork Access Quarantine Control easier. For more information, see Network Access Quarantine Control in Windows Server 2003.

    IIS 6.0 metabase auditing--The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services (IIS) 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted.

    New features

    Microsoft is taking the opportunity afforded by the release of Service Pack 1 to introduce powerful new functionality to Windows Server 2003.

    Windows Firewall--Also released with Windows XP Service Pack 2, Windows Firewall is the successor of the Internet Connection Firewall. Windows Firewall is a host (software) firewall, a firewall around each client and server computer on a customer's network. Unlike Windows XP Service Pack 2, the Windows Firewall is off by default on Server 2003 Service Pack 1, and must be turned on to begin protecting systems. The Windows Firewall is enabled for a brief time during Service Pack 1 clean installs for the duration of the new Post-Setup Security Updates portion of setup.

    Post-Setup Security Updates (PSSU)--Servers are vulnerable in the time between initial installation and having the latest security updates applied. To counter this, Windows Server 2003 with Service Pack 1 uses Windows Firewall to block all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer. After updating, Windows Firewall is turned off until it is configured for server roles. PSSU also guides users through immediate configuration of Automatic Updates.

    Security Configuration Wizard (SCW)--SCW is a wizard that configures server security based upon existing server roles. SCW asks questions about server roles and then stops all services not necessary to perform those roles. SCW will not add roles, but will configure the server around the roles it performs. Like boarding-up unused doors, this new feature helps reduce the attack surface of Windows Server 2003.
  • by Metroid72 ( 654017 ) on Thursday March 31, 2005 @10:33AM (#12100071)
    I say wait until SP2.
  • 64 bit XP (Score:5, Interesting)

    by buhatkj ( 712163 ) on Thursday March 31, 2005 @10:33AM (#12100073) Homepage
    IMHOP, the more interesting tidbit from this article is the info that XP 64-bit should go on sale next month :-) As the proud owner of 2 athlon 64's, that's actually something I would want to know about....
  • Ok, I have used Windows for development in 95 and 98 releases and now use OS X very happily. What surprises me is we are in late March of 2005 and Windows 2003 SP***1*** is being released.
    • Why release one if theres no loud demand for it? Seeing as your an Apple user, I'm afraid to break the news to you that not every OS vendor has chance to push out a few mediocre SDK features every half year and name it after some random wild animal. Server is one of the most polished efforts from Microsoft yet, and as a test case of it's new security initiative you'd be hard pressed to find signifigant fault, since practically every bug that's hit the XP range is not a threat to it, and in terms of total s
  • by StateOfTheUnion ( 762194 ) on Thursday March 31, 2005 @10:35AM (#12100101) Homepage
    From the News.com.com link in the topic:

    Microsoft is also using the Windows Server 2003 SP1 code base as the starting point for the next desktop version of Windows, code-named Longhorn, which is slated to arrive next year.

    Wasn't Longhorn supposed to originally be released this year? If they're going to use this service pack as a code base, they must be a long, long, long way off from a longhorn release . . .

  • by EXTomar ( 78739 ) on Thursday March 31, 2005 @10:41AM (#12100175)
    It is quite hefty but then this is what I expect from "Service Packs" especially in one giant chunk.

    "Download time remaining: 22 minutes"

    So now I'm chained to box since I suspect at some point I need to click something on some dialog to complete installation (this is an assumption but past history on other updates tells me I should watch the process to make sure it goes all the way through).

    On the other hand I had to setup sever based off of FC3 yesterday and out of the box it required to download 450MBish of stuff broken into 150+ individual downloads. After installing the gpg keys, I started the update ('yum -y update') and walked away from it. Other systems have something that is just as easy and dare say fool proof.

    I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.
    • I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.

      This is exactly what they do. The large 300+ MB download is designed for network administrators who want to download the whole thing to apply to multiple machines. If
  • If you install this on SBS2003, do NOT run the new wizards - wait until SBS2003 SP1 is released in the next month or so.
  • Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2

    In other words now you've finished dealing with the chaos that was caused by XP SP2 you can now start dealing with the chaos that is S2k3 SP1

  • by xxxJonBoyxxx ( 565205 ) on Thursday March 31, 2005 @10:46AM (#12100234)
    The usual security complaints about Microsoft OS's are that:
    1) They are easy to crack remotely with default installs.
    2) Weekly if not daily patches are required.

    So, Microsoft comes out with SP1 and people are already whining.
    1) What is the "no inbound connections by default" stuff going to help?
    2) The length of time between Windows 2003's release and its first service pack.

    C'mon people, put it together.

  • by thule ( 9041 ) on Thursday March 31, 2005 @10:54AM (#12100316) Homepage
    According to these links, Microsoft has finally figured out how Linux boots with tftp:
    BartPE using PXE [epitech.net]
    Booting Windows from a Debian box [msfn.org]
    It's nice to see Microsoft pick this up. Booting Windows with standard tools, what a concept!
    I'm sooooo spoiled with anaconda kickstarts... can Microsoft make deploying servers as easy as RedHat/Fedora?
  • Anyone know if it's still vulnerable to the old LAND attack?

    -maztuh
  • by scupper ( 687418 ) * on Thursday March 31, 2005 @11:05AM (#12100476) Homepage
    Hey, why aren't they rolling out a paired down version of Security Configuration Wizard (SCW) [microsoft.com] for XP?

    The "Security Center [microsoft.com]" on XP is pretty cheesy, didn't even include an updated MBSA [microsoft.com] until a couple months after XP sp2 was released. Most folks won't dig into using the Local Security Policy snap-in [microsoft.com] or Security Configuration and Analysis snap-in [microsoft.com], or fiddle with changing their template [microsoft.com].
  • Weeeee! (Score:2, Insightful)

    by Lisandro ( 799651 )
    Among the primary benefits of the free update is the inclusion of security enhancements similar to those added to Windows XP with last year's Service Pack 2.

    YES! I bet W2k3 server sysadmins will just love the new security features of XP like that great firewall. You know... the one that blocks local ICMP pings by default!
  • I guess they're going to roll out MBSA 2.0 later this year [microsoft.com]? They did the same thing with 1.2.1 when xp sp2 was released. I kind of thought they should release the MBSA with the service pack, or at least have it updated, tested and available to assist in configuration of the new security features, like 2k3 server's new firewall and checking Security Configuration Wizard for errors.

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...