The most compelling feature of Service Pack 1 for Windows Server 2003, released that last week, may be it’s power to take away from the operating system.
SP1 provides security enhancements not unlike those of SP2 for the XP operating system, but it’s doing so in a smarter way.
The problem with SP2 — and the reason that Microsoft temporarily disabled the automatic update feature that would allow customers to deploy it — was that it automatically activated a Windows firewall, potentially creating problems in other areas of an IT environment. SP1 for Server 2003 also includes a firewall, but it’s default is in the off position.
SP1 takes a similar approach with other features available in Server 2003 — it turns them off if they aren’t necessary. Through a security configuration wizard, users can specify what the server is being used for (e.g. file and print or a Web server) and only the germane features will be activated.
By keeping the server running on the necessary minimum, it’s possible to reduce the “attack surface area,” said Derick Wong, senior product manager of security and management at Microsoft Canada.
“They can actually disable unused services and block unnecessary ports and modify registry values to configure the Windows Server for that specific workload,” he said.
Andy Papadopoulos, president of Toronto-based integrator Legend Corp. is currently working with some of his clients looking to deploy SP1. As with any upgrade, he emphasizes caution and preparedness.
“It’s not a service pack, it’s a security pack,” he said, “so it’s going to make some deep changes. You’ve got to be educated first.”
Papadopoulos built a lab to test SP1 on a variety of common configurations of Server 2003 and recommends that his clients do the same. But by having an install wizard that can meet a user’s specifications, the install process should be simplified, he said.
“In most cases where customers had (security) issues, it’s simple; it just had to do with do with misconfiguration. They just had a lot of unnecessary services turned on,” he said.
Orezone Resources Inc., based in Ottawa, is a gold exploration and development company with operations in Africa. The company has Server 2003 deployed across its network, which communicates with its African operations via satellite.
Doug Perkins, the company’s CFO, said he will likely deploy SP1, but not immediately. “Given that we’re running all of our accounting and all of our geological databases by satellite linked into Africa. We can’t afford to cut that line. We will deploy it shortly, but we’ll just see if there are bugs first.”
Perkins’ IT department advised Orezone to wait at least a few weeks. “We’re pretty state of the art. As CFO, I push these guys but I listen to them as well,” he said.
Tourism Vancouver is also a Server 2003 user, but will wait even longer before considering a move to SP1. The organization is in the midst of a CRM rollout, said IT director Kevin Tarasoff, and that takes priority.
Microsoft is taking the right tack by helping users lock down unnecessary features and ports, he said. But Tourism Vancouver will wait until the end of the month — the deployment date for the CRM application, which will be hosted by a third-party provider — before looking at SP1. Tarasoff said he also backed away from SP2 for XP based on the advice of his services company and the results of some initial in-house tests. Both SP1 and SP2 may be deployed at a later date.