Share via


Windows 2003 SP1 is here!!!

For those of you who were asking when Windows 2003 SP1 was going to be released... today is a reality. For the rest of you who are asking why to apply it in your current environment, here are some reasons which could help to take this decision:

  • Reduce your server's attack surface
  • Help protect newly installed servers
  • Get firewall protection from startup to shutdown
  • Bolster your defenses with "no execute" hardware support and software
  • Help protect your system services with stronger default settings and reduced privileges
  • Isolate out-of-date virtual private network (VPN) assets
  • Monitor and audit your Internet Information Services (IIS) configuration settings
  • Windows Firewall Policy Management
  • Help secure Internet Explorer
  • Avoid potentially unsafe e-mail (Outlook Express)

Review the following references for more details about it (more technical details, how to get it, etc.):

Windows 2003 SP1 details
Windows Server 2003 SP1 (32 bit-installation package)
Professor Windows - April 2005 Windows 2003 SP1

SP1 includes a utility named SCW (Security Configuration Wizard). SCW is one of the new features added to Windows Server 2003 in SP1.  It guides administrators through attack surface reduction.  With this component admins can quickly and easily disable unused services, block unnecessary ports, modify registry values, and configure audit settings; is a wizard that configures server security based upon existing server roles (Domain Controller, Web Server, etc.). SCW is an optional component in Windows Server 2003 Service Pack 1. To install it, you must first install Service Pack 1 for Windows Server 2003 and then go to Add/Remove Windows Components.

What you have to consider when you use SCW in an environment with Exchange 2003 (as you already know Exchange 2000 is not supported in Windows 2003) is that (from the Product Team)...

There is a known issue that occurs when the Network Security feature in SCW is run on an Exchange server on which Exchange is not installed to the default path (i.e., %ProgramFiles%\Exchsrvr). In that configuration, a customer using SCW could accidentally block the TCP/IP port access by Exchange processes (System Attendant, Store, MTA, etc.). In this case, SCW will display [Not Found!] next to each process in the Network Security section. If SCW is run to completion with a process that has [Not Found!] next to it, SCW will apply the security policy to the Windows Firewall that blocks network access by that process.

There are a couple solutions for this:

  • Use SCW's rollback feature to roll back a security policy after it has been applied. For more information on how to do this, see the Security Configuration Wizard Help file.
  • Manually fill in the Application path field in the Network Security section to specify the location of the Exchange executable process files. It is recommended that you run SCW on the Exchange server to do this to ensure that the path to each Exchange process executable is correct. Once each process executable has been approved, SCW security policy can be applied and Exchange should have the network access it requires to function.

Also review the following references which can be useful to avoid affecting your current Exchange environment:

Error message when a user tries to access a clustered Exchange Server 2003 back-end server by using Outlook Web Access
After you run the SCW in Windows Server 2003 SP1, Outlook users may not be able to connect to their accounts

I strongly recommend to apply SP1 as a security measure, but don't forget that as any hotfix/sp/change to be applied in your production environment you must follow these simple steps:

  • Apply it in a controlled environment (a lab environment is preferable)
  • Test all your applications
  • Test it again
  • Don't forget to test it
  • ...
  • hope you have got my point :)
  • Follow your Change Management procedures (if any hehehe)
  • Apply it in your production environment and verify that your applications are running correctly