Windows Server 2003 SP1

Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM

Session Goals: Introduce you to the new features and tools in Windows Server 2003 Service Pack 1. Examine the new security models and enhancements introduced. Demonstrate how you can manage and test these changes in your environment Best Practices, Tools and Tips

Agenda SP1 Features and Configuration Tools System and Network Security Enhancements Configuration Options Testing in a Virtual lab

What are the Goals of SP1? Enhanced Security –reduced attack surface –new security enhancements Stronger Defaults and privilege reduction on services RPC / DCOM Support for no execute hardware Intel AMD Windows Firewall enabled by default New install scenario Provide a Security Configuration Wizard to assist IT Admins Role-based configuration and lockdown VPN Quarantine Client inspection Fix-up Isolation IIS 6.0 metabase auditing Enhanced Reliability Enhanced Performance –10%+ improvement in TPC, TPC-H, SAP, SSL, etc.

SP1 Features and Enhancements Relevant XP SP2 enhancements –RPC, DCOM lockdown Windows Firewall Post-Setup Security Updates Boot-time network protection for clean installs Security Configuration Wizard Base 64-bit extension system

SP1 Deployment Options Manual installation Update.exe /? (for options) Update.msi Slipstreaming Update.exe /integrate: Imaging software OS deployment feature pack for SMS 2003 Scripted installation Unattend.txt

What happens after you install SP1? New Server install (slipstreamed) Post Setup Security Updates invoked: Server protection between installation of operating system and installation of latest updates Windows Firewall enabled if not explicitly configured during installation Upgraded Server 2003 (update.exe) Firewall disabled by default New security models come in to force Install and Run the Security Configuration Wizard

Post Setup Security Updates The PSSU interface enables Administrators to safely install product updates after an initial installation of Windows Server 2003 and SP1 Appears on Administrator Logon or due to a product update installation or other maintenance Windows Firewall is turned off and the service disabled when the Finish button is clicked

What happens after you install sp1  Post Setup Security Updates demonstration demonstration

Security Configuration Wizard Identifies open ports The wizard should be executed with required applications and services running Selects server roles from configuration database Configures required services Configures ports for Windows Firewall Configures security for LDAP and SMB Configures an audit policy Configures settings specific to roles performed by the server

Security Configuration Wizard Configuration saved to XML file Applied by the wizard Apply an existing security policy Applied from the command line scwcmd.exe configure /p:webserverpolicy.xml Used in scripts Unattended setup scripts

Security Configuration Wizard  Using the Security Configuration Wizard  Roles and Templates demonstration demonstration

Agenda SP1 Features and Configuration Tools System and Network Security Enhancements Configuration Options Testing in a Virtual lab

System Security Enhancements Data Execution Prevention Enforced by hardware and software Hardware DEP Requires processor support Processor marks areas of memory as non-executable unless they specifically contain executable code May cause compatibility issues Software DEP Functional on any processor that supports Windows Server 2003 Protects system binaries from exploits relating to exception handling Unlikely to cause compatibility issues

System Security Enhancements Data Execution Prevention Boot.ini configuration /noexecute=PolicyLevel OptIn – Software DEP is enabled; Hardware DEP is only enabled for applications that are specifically configured OptOut – Software DEP and Hardware DEP are enabled; they are only disabled for applications that are in the exception list AlwaysOn – Software DEP and Hardware DEP are always enabled; any configured exceptions are ignored AlwaysOff – Software DEP and Hardware DEP are disabled

Network Security Enhancements DCOM Security DCOM permissions Launch Activate Access System-wide security Administrator configured Affects all DCOM servers Component Services Group Policy

Network Security Enhancements RPC Security RPC is a protocol for network communication SP1 enhancements Require authenticated connections Not compatible with named pipes RPC security settings RestrictRemoteClients EnableAuthEpResolution

Remote Procedure Call Security  Configure RPC Security  Viewing the effects of RPC Security demonstration demonstration DCOM Security  Investigating DCOM permissions  Demonstrating system-wide DCOM permissions

Agenda SP1 Features and Configuration Tools System and Network Security Enhancements Configuration Options Testing in a Virtual lab

Management of Features Windows Firewall (default Settings) Boot-time security On by default (Integrated Installation only) Global configuration and restore defaults On with no exceptions Command-line support Unattended setup support RPC Support for system services Multiple profiles Windows firewall exceptions list Local subnet restrictions

Management of Features Command Line Config with Netsh

Management of Features Windows Firewall GUI

Management of Features Group Policy

Windows Firewall  Changing the state of the Windows Firewall/Internet Connection Sharing (ICS) service to enable firewall configuration  Configuring Windows Firewall using the graphical user interface, command line, and Group Policy demonstration demonstration

Agenda SP1 Features and Configuration Tools System and Network Security Enhancements Configuration Options Testing in a Virtual lab

Testing in a Virtual Lab Why Test? Know the impact updating will have Plan your deployment Deal with potential issues in test environment Smooth upgrade process

How to Test the SP1 Installation in Your Environment Verify that the software and services continue to work Install SP1 on each computer and apply security settings / templates Create a test environment that is representative of your company’s computers, software and services

Virtual Test Network Testing with Virtual Networks Virtual Test Environment for SP1 Isolated test network Virtual NICS Virtual NICs Hardware server Physical NICs Bridged virtual network Virtual Switch XP SP2 Workstation VM Application Server VM Server 2003 SP1 VM Private internal network Bridged virtual network Private virtual network Virtual DHCP Server

Testing SP1 in a Virtual Network  Virtual Network Environments  Undo feature demonstration demonstration

Session Summary Windows Server 2003 SP1 provides a number of security enhancements These enhancements will provide additional security and help guard against attack The new security features should be fully tested before implementation There are also a number of new tools in SP1 to help you manage the server settings and roles.

For More Information Visit TechNet at – Windows Server 2003 SP1 Beta – /sp1/default.mspx Server Virtualization – n.mspx

Where Can I Get TechNet? Visit TechNet online at Register for the TechNet Flash /technet/abouttn/subscriptions/flash_register.mspx Join the TechNet online forum at Become a TechNet subscriber at Attend more TechNet events or view online