They are the two words with which system administrators have a love-hate relationship: Service Pack. While service packs often include necessary functionality, there is always the possibility of one disrupting the functions of key systems and applications.
In the Microsoft world, Service Packs include all the fixes and patches for a given product since its last release and often include new functionality. In the case of Service Pack 1 (SP1) for Windows Server 2003, there is a security update and, much like SP2 for Windows XP, there is a heavy focus on security, said Derick Wong, senior product manager of security and management at Microsoft Canada Co. in Mississauga, Ont. This will be the only Windows Server 2003 service pack because Microsoft will distribute Windows Server 2003 Release 2 later this year.
Although users experienced numerous disruptions with XP SP2, Wong said Windows Server 2003 SP1 deployments should be smoother and disturb fewer systems. Of course, Microsoft recommends that users run SP1 on a tests server just to make sure.
“Windows Server 2003 was a lot more locked down right out the box than Windows Server 2000,” said Leigh Popov, manager for technical services and capital planning and the Credit Valley Hospital in Mississauga, Ont., who has been testing SP1 for about a month. “And the changes with SP1 were not nearly as dramatic as the ones that came with (Windows XP) SP2. Because XP was lot more open, there were a lot of things SP2 shut down.”
There are three key security updates to Windows Server 2003 Service Pack 1 (SP1): the Security Configuration Wizard; the addition of a Windows Firewall; and Post-Setup Security Updates (PSSU), Wong said.
The Security Configuration Wizard lets users designate the role of the server during configuration, such as file and print or Web. The Wizard will then automatically block all the services and ports not needed for that role.
“A file print server will use different ports in comparison to a Web server,” Wong explained. Previously, Windows administrators would have had to manually “harden” the operating system, he said. And one security guru says the security updates to SP1 do have substance and are not just smoke and mirrors.
“Microsoft has done a good job making it easier for the non-security-expert system administrator to ensure that their Windows servers meet an acceptable level of security,” said Jeff Posluns, founder of SecuritySage Inc. in Montreal.
He said Security Configuration Wizard, which lets a sys admin disable the stuff that isn’t necessary — like extra services, open ports and processes that are running — helps decrease the attack surface area of a server.
“It strips the default Windows to a minimum,” he said.
Credit Valley Hospital’s Popov agreed with Posluns.
“You could configure the server before but now you can do it in a simple, easy-to-understand way,” he said. “I don’t know how much time it will free up but during [installations] it will help us create tighter deployments from a security standpoint. Before you had to go to multiple places and change settings. Now it will be done more reliably.”
Credit Valley has about 100 servers. Because the hospital only keeps hardware for about three years, Popov and his staff replace about 30 to 35 servers each year, or about three or four a month. Although his eight IT staffers were all capable of manually hardening the operating system, he said SP1 will help them ensure they don’t miss anything when it comes to security.
Additionally, because it’s easier for users to set up servers with Windows Server 2003, Posluns said companies save time by, for example, delegating these tasks to more junior IT professionals. The addition of Windows Firewall to Windows Server 2003 is similar to the addition of a Firewall and the Windows Security Center with XP SP2.
When many users installed XP SP2, the firewall was automatically turned on, resulting in glitches for users of third-party firewalls. And it was up to the user to figure out how to disable the Windows firewall. But this is not so with the Windows Server 2003 SP1 firewall.
“The firewall will be defaulted off, but with new installations it will automatically be switched on,” Wong said.
Quick Link 050826
Related links: