One of Microsoft's ongoing initiatives is to enhance security with each successive service pack release. Windows Server 2003 Service Pack 1 (SP1) is no exception, but you may wonder how exactly it bolsters security in the server operating system. In this tip, I'll outline the most significant security updates.
Privilege reductions in RPC and DCOM
Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) are core elements of Windows that have always been exploited. SP1 requires an application to have certain privileges or proper authentication to make RPC or DCOM calls, regardless of what security code exists within the application itself. A new registry key, RestrictRemoteClients, can be used to prohibit anonymous RPC access system-wide if security measures demand it. Existing programs run in the proper contexts should not be affected.
Data execution prevention
DEP is a technology that can be implemented in both hardware and software to prevent the execution of malicious code. (Newer processors like AMD Inc.'s Opteron support it directly.) Many exploits blindly dump or "inject" code (known as a payload) into a segment of memory where code normally wouldn't reside, then execute it. DEP thwarts such exploits by marking certain areas of memory non-executable; if an application tries to execute code in a flagged area of memory, the system throws an exception.
SP1 allows for a degree of such protection, even on a system that doesn't have hardware support for it. DEP can protect against the vast majority of code injection exploits, including those that manage to run in kernel memory through a compromised driver or service. If a kernel-level exploit is trapped in this fashion, it may mean a crash -- but a crash is always better than a compromised system.
The rechristened Internet Connection Firewall, now called Windows Firewall, is no substitute for a full firewall (such as a Cisco box or Microsoft's own ISA Server), but it provides basic levels of protection against major threats. In Windows XP Service Pack 2, it comes with a slew of enhancements not seen before, including:
- System protection during boot process, when the network stack is initialized as the rest of the system comes up.
- Global configuration, rather than per-interface.
- Command set accessibility through the netsh interface.
- Application-based exceptions, rather than port-based.
- Selective RPC support (integrated with system-wide RPC security tightening).
- Native IPv6 support.
- System protection during the post-install update phase.
- More Group Policy Object configurations.
- Support for unattended setup scenarios.
Security Configuration Wizard
The Security Configuration Wizard lets you configure server security based on existing server roles: If you're using the server for a task that doesn't involve a particular service, the wizard stops and disables the service (and, more importantly, tells you why). It also disables other functions that can be security problems: unneeded IIS Web extensions, unused ports, unnecessary protocols and APIs for services like LDAP or SMB, and so on. It also allows for rollback (to move the server back to the state it was in prior to applying the new security role, in case something breaks), compliance auditing (to determine if the server is currently safe according to policy), and support for command line, Active Directory and Group Policy interfaces. (Note that the wizard is not installed by default, but is available for installation through Windows Components in Add/Remove Programs.)
To harden TCP/IP against malicious activity, SP1 makes changes, such as default-on protection against SYN flooding. (You can disable these settings through the Registry.)
One final note: If you're running Windows Small Business Server 2003 (SBS 2003), Microsoft recommends that you hold off on installing SP1 because of some minor known issues with SBS.
Serdar Yegulalp is editor of The Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
More information from SearchWindowsSecurity.com