In praise of Windows 2003 SP1

Reasonable fixes


Comment Usually I get to use this space to complain about Microsoft's poor security practices, but not this time -- with last week's release of Windows 2003 Service Pack 1, this time they get praise. After eighteen months of beta testing, Service Pack 1 (SP1) is now publicly available and loaded with security enhancements. I thought I'd mention some of my own favorites here.

Attitude shift

The most important security improvement I noticed right off was the significant shift of attitude towards security. Microsoft's technical overview of SP1 begins with several honest admissions. The document openly acknowledges the "customer pain centered on server security." They also confess that, "Update management?is too complex and too labor intensive" and that "customers must painstakingly test the updates to verify that they do not interfere with mission critical systems."

The document also states that the current approach to Windows security "often delivers too little security too late for many Windows Server 2003 customers," adding that, "This situation is simply untenable."

I was quite shocked. No justifications, no defensiveness, no blaming, and no marketing fluff. They simply concede that they had problems and now offer some reasonable fixes.

IE secured

A long-awaited security update is the more secure Internet Explorer that, up to now, was only available on Windows XP SP2. This update includes numerous security fixes, including better add-on management, better group policy support, pop-up blocking, local machine zone lockdown, and many others. Sure, exposure to IE problems on a server is much less common, but it's still nice having the more secure IE on there.

The firewall

In my last column, I complained about Windows firewalls. While the new Windows Firewall still isn't quite what I was hoping for, it nevertheless has many new welcome features. Like the firewall in Windows XP SP2, it offers boot-time protection, global configuration, audit logging, better group policy integration, command-line support, and many other cool features. It still lacks in some areas, such as controlling outgoing traffic, but at least it provides easy protection for even the most novice users.

Post-setup security updates

At one time, this was so common it was almost funny: people installed Windows and before they could download all the latest security updates, they were already infected by a host of worms that had them actively attacking other Internet hosts. In some cases, even being behind a firewall wasn't sufficient enough protection.

That just might now be a problem of the past. SP1-integrated Windows installations will now allow you to block all inbound network connections until you finish installing the latest security updates and configure the automatic updates feature. This is a good reason to go ahead and build those SP1-integrated installations rather than installing Windows then rebooting to install SP1.

RPC and DCOM security

Although there have been several issues with RPC and DCOM security, these technologies certainly have not been exploited to the extent they could have been. Fortunately, these interfaces were complicated enough for them to avoid widespread attention, but the potential was huge. Until now, hardening these services was mostly undocumented, and many techniques were highly experimental. Even with all our best efforts, it still was largely insufficient.

SP1 adds several features to better manage and control access to RPC and DCOM services. Computer wide restrictions and the ability to disable the incoming call, activation and launch requests gives an administrator much more control over DCOM access. There is also a new RestrictRemoteClients registry key to completely block remote, anonymous RPC access on the system. The new Windows Firewall also offers better RPC support that provides more intelligent and granular control over RPC services.

Data execution prevention

SP1's new Data Execution Prevention (DEP) feature lets Windows take advantage of hardware technologies that prevent code execution in non-executable memory locations. This greatly limits exposure to those all-too-common buffer overflow attacks.

In addition to the hardware support, SP1 also provides software-enforced DEP to protect certain Windows system binaries.

Security configuration wizard

The new SP1 Security Configuration Wizard (SP1) makes it much easier to lock down a server without requiring too much security knowledge. The wizard makes suggestions based on your current configuration and specified server roles, and it takes out much of the guesswork and hassle of enabling and disabling system services. Even if you use a custom or more complex hardening method, the SCW can simplify the procedure. The SCW stores its configuration using standard XML files so you can easily customize it for your own needs.

Hot patching

One of my own personal favorites is the hot patching feature that allows you to patch your system binaries even if they are currently in use. By actually patching the binaries in memory, this new feature will significantly reduce the number of reboots required for hotfixes. You will still need to reboot after updating kernel-level binaries, but as always, the fewer reboots the better.

SP1 includes all previous security updates and undoubtedly includes thousands of other fixes that they never announced publicly. This service pack is significant a deliverable on Microsoft's Trustworthy Computing initiative and does a great job at improving system security. It reduces the attack surface, better supports the concept of least privilege, and implements a number of proactive security strategies.

What else can I say? No complaints this month, I'm impressed.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle.

Related stories

Where, oh where, is my Windows firewall?
Microsoft RTMs Windows Server 2003 SP1
MS and security: good effort but no cigar


Other stories you might like

  • It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
    Crafty file names, encrypted malicious code, Office flaws – ah, it's like the Before Times

    HP's cybersecurity folks have uncovered an email campaign that ticks all the boxes: messages with a PDF attached that embeds a Word document that upon opening infects the victim's Windows PC with malware by exploiting a four-year-old code-execution vulnerability in Microsoft Office.

    Booby-trapping a PDF with a malicious Word document goes against the norm of the past 10 years, according to the HP Wolf Security researchers. For a decade, miscreants have preferred Office file formats, such as Word and Excel, to deliver malicious code rather than PDFs, as users are more used to getting and opening .docx and .xlsx files. About 45 percent of malware stopped by HP's threat intelligence team in the first quarter of the year leveraged Office formats.

    "The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures," Patrick Schläpfer, malware analyst at HP, explained in a write-up, adding that in this latest campaign, "the malware arrived in a PDF document – a format attackers less commonly use to infect PCs."

    Continue reading
  • New audio server Pipewire coming to next version of Ubuntu
    What does that mean? Better latency and a replacement for PulseAudio

    The next release of Ubuntu, version 22.10 and codenamed Kinetic Kudu, will switch audio servers to the relatively new PipeWire.

    Don't panic. As J M Barrie said: "All of this has happened before, and it will all happen again." Fedora switched to PipeWire in version 34, over a year ago now. Users who aren't pro-level creators or editors of sound and music on Ubuntu may not notice the planned change.

    Currently, most editions of Ubuntu use the PulseAudio server, which it adopted in version 8.04 Hardy Heron, the company's second LTS release. (The Ubuntu Studio edition uses JACK instead.) Fedora 8 also switched to PulseAudio. Before PulseAudio became the standard, many distros used ESD, the Enlightened Sound Daemon, which came out of the Enlightenment project, best known for its desktop.

    Continue reading
  • VMware claims 'bare-metal' performance on virtualized GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual updates across CPU, GPU, and DPU lines
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading

Biting the hand that feeds IT © 1998–2022