Microsoft has recently released Service Pack 1 for Windows Server 2003. The release documents for the Service Pack are almost 300 pages long! The purpose of these next few articles is to list the main new features and changes the service pack will make to your server, Active Directory, and server applications. Hopefully, these articles will summarise what you need to know about the latest service pack in plain English, for a much more detailed description of each, please refer to the Microsoft documentation.
Security Configuration Wizard
The Security Configuration Wizard (SCW) is a new feature with Windows 2003 SP1, and probably the single largest addition to the OS in the Service Pack. The main function of the SCW is to reduce the attack surface of the server. It guides the creation of security policies and setting up minimum functionality depending on the server role.
After installing SP1, the SCW needs to be installed via the Windows Components window of Add or Remove Programs control panel. The SCW will then appear in the Administrative Tools folder. The SCW will allow you to either;
Create a new Security policy
Edit an existing Security policy
Apply an existing Security policy
Rollback the last applied Security policy
When creating a new security policy, the SCW has almost 200 different server roles, which can be added to the policy to define the minimum services, ports and other functional requirements while providing maximum security. Roles, features, options, services and ports can be selected and de-selected as required as can outbound authentication methods, registry settings and audit policies. The final policy is saved to an XML file which can then be used and modified across servers and server roles running the SCW.
It would be impossible to cover all the ins and outs of such a huge new tool in one article. For the full documentation of the Security Configuration Wizard, please go here.
Access Based Enumeration
To enable this feature you will need to download and install an additional component in the form of a msi (abeu.msi) file from the Microsoft Download site. When it is installed, a new tab will appear on shared folders named “Access Based Enumeration”.
When enabled, this will change the view users will have of files and folders when accessing shares held on the Windows 2003 server. Only files and folders the users have permissions to access will be displayed, and nothing else. Prior to enabling this change, users could see all files and folders, regardless of permissions, but would not be able to open denied folders or files.
Add or Remove Programs Filter
A new tick box has been added to the Add or Remove Programs control panel, called Show Updates. With SP1, only installed programs will displayed until this check box is ticked. It will then display both programs and updates together.
This feature can be used by any software vendor, not just Microsoft updates.
DCOM Security Enhancements
The Default COM Security tab in the Component Services control panel \My Computer properties has been renamed to COM Security and extra functionality added. It now has an extra button, “Edit Limits” for both Access and Launch Permissions. This extra functionality provides a further computerwide access check in addition to the current access control checks. The reason this was introduced was due to previous weak settings allowing unauthenticated access to some processes, that administrators could not force stronger security settings on.
A new group has also been created called “Distributed COM Users” to speed up the process of adding users to DCOM computer restriction settings.
RPC Service Changes
Pre-SP1 the RPCSS provided the key service for both RPC Endpoint Mapper and also for the DCOM Infrastructure. The service ran under the permissions of the Local System account. SP1 has split this into two services, the original RPC service (for the RPC Endpoint Mapper) and a new service called DCOM Process Launcher, which is not network facing. The RPC service did not need the Local Security permissions so it now runs under the NT Authority\Network Service account, while the new DCOM Process Launcher service runs with the Local System account. This was introduced to reduce attack surface of Windows, and to tighten security permissions on network facing services.
Device\Physical Memory Change
The Device\Physical Memory object is used by applications to access physical memory. This would be used by applications attempting to read BIOS data. Pre-SP1 this was controlled by an Access Control List. Service Pack 1 changes this and now denies all access at User Mode level regardless of user context or application.