Packaging the new functionality of Windows Server 2003 R2 as a 2-CD release distinct from Windows Server 2003 SP1 helps organizations deploy only the new features they need to specific servers. The first CD in the release package contains a slipstream installation of Windows Server 2003 with SP1, and all of the Windows Server 2003 R2 features are contained on the second CD. Unlike deploying a service pack, organizations can select the new functionality they will adopt without forgoing any critical security updates. Moreover, as organizational needs change, they can install or uninstall the new features of Windows Server 2003 R2 as they see fit.
Integration with Windows Server 2003 SP1
Windows Server 2003 R2 is built on Windows Server 2003 SP1 to create the tightest possible integration, forming the best Windows Server operating system produced by Microsoft to date. Such integration means that while Windows Server 2003 R2 delivers powerful new functionality in the arenas of branch office server administration, identity management, and efficient storage management, it does not require testing above and beyond the testing required for SP1, lowering the costs of adoption. Application compatibility with SP1 means that there is application compatibility with Windows Server 2003 R2. Future updates can be released for both Windows Server 2003 SP1 and Windows Server 2003 R2, lowering the cost of administering network environments where both operating systems are being used.
About Windows Server 2003 SP1
Windows Server 2003 SP1 provides convenient, comprehensive access to the latest updates, enhancements, and new features for Windows Server 2003. Each of these components allows customers to better leverage the enhanced security, reliability, and performance of Windows Server 2003.
Update management is one of the great challenges of computer security. Despite the inherent management difficulties they present, updates will continue to play a vital role in better securing enterprise IT. While enhancements and new functionality delivered by Windows Server 2003 SP1 make great strides toward more proactive security, reacting to known threats is still a core mission of SP1.
Frequent updating is essential to keeping up with exploits as they are discovered. By providing these updates together in SP1, Microsoft provides customers, both new and old, with the latest protection for Windows Server 2003.
The updates disseminated by SP1 cover some of the most basic functionality—and thus remove some of the most widely exploited attack points—of Windows Server 2003. These updates include:
MicrosoftInternet Explorer—Updates to this software help prevent unintentional downloads of misrepresented, malicious code and the automatic resizing of browser windows as a ruse to extract sensitive data from employees.
Microsoft Outlook® Express—This update affords users the option of rendering e-mail in plain text rather than HTML. This provides one more barrier against the spread of malicious code through e-mail.
WebDAV Redirector—By updating this behind-the-scenes program, customers can access Web-based Distributed Authoring Versioning (WebDAV) servers, such as Microsoft Windows SharePoint® Services and MSN®Communities, as if they were standard file servers. Moreover, this update helps prevent customers’ credentials (user name, password) from being transmitted over unencrypted channels during such exchanges.
Microsoft addresses update-related server down time with the Hot Patching feature in SP 1. Hot Patching allows customers to apply updates to drivers, DLLs, APIs, or any non-kernel-level component of Windows Server 2003 without restarting the server.
In addition to finding and updating security holes before hackers can exploit them, SP1 includes improvements to functionality that originally shipped with Windows Server 2003. Such enhancements make a great product better and raise the security, reliability, and productivity of Windows Server 2003. Below are brief descriptions of some of these key enhancements:
Stronger defaults and privilege reduction on services—Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, SP1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves.
Support for “no execute” hardware—SP1 allows Windows Server 2003 to utilize functionality built in to computing hardware to help ensure that malicious code cannot launch attacks from areas of computer memory that should have no code running in it. For both 32-bit and 64-bit systems, this enhancement closes the door on one of the broadest and most exploited avenues of information attack.
Network Access Quarantine Control components included—Windows Server 2003 SP1 now includes the Rqs.exe and Rqc.exe components to make deployment of Network Access Quarantine Control easier.
IIS 6.0 metabase auditing—The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services (IIS) 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted.
As part of SP1, Microsoft is introducing powerful new functionality to Windows Server 2003.
Windows Firewall—Also released with Windows XP Service Pack 2, Windows Firewall is the successor of the Internet Connection Firewall. Windows Firewall is a host (software) firewall, a firewall helping protect each client and server computer on a customer’s network. Unlike Windows XP Service Pack 2, Windows Firewall is off by default on Windows Server 2003 Service Pack 1, and must be turned on to begin protecting systems. Windows Firewall is enabled by default for a brief time immediately following operating system installations that include Service Pack 1. Windows Firewall stays enabled for the duration of the new Post-Setup Security Updates portion of setup.
Post-Setup Security Updates (PSSU)—Servers are vulnerable in the time between initial installation and having the latest security updates applied. To counter this, Windows Server 2003 with Service Pack 1 uses Windows Firewall to help block all inbound connections to the server after installation until Windows Update delivers the latest security updates to the new computer. After updating, Windows Firewall is turned off until it is manually configured for server roles. PSSU also guides users through immediate configuration of Automatic Updates.
Security Configuration Wizard (SCW)—SCW is a wizard that configures server security based upon existing server roles. SCW asks questions about server roles and then stops all services not necessary to perform those roles. SCW does not add roles, but configures the server around the roles it performs. Like boarding up unused doors, this new feature helps reduce the attack surface of Windows Server 2003.