Windows Server 2003 SP1

1
(No Transcript)
2

• Securing the Infrastructure
• Windows Server 2003 SP1 and Windows XP SP2

Ken Schaefer System Engineer, MVP Avanade
3
Sorry

• No funny jokes or pictures

• But there will be good technical content

4
Agenda

• Why we are releasing Windows Server 2003 SP1
• Goals for Windows Server 2003 SP1
• Key security enhancements and functions of SP1
• Windows 2003 Windows XP SP2 Firewall
• Other enhancements
• Additional resources to ramp up on Windows Server
  2003 SP1
• Summary

5
Why are we releasing WS03 SP1?

• To reduce customer pain around security of our
  operating systems, and to provide a more robust
  and secure OS to customers
• To provide some new security enhancements
• Setup Protection SECOOBE
• Windows Firewall
• Role-based Security Configuration Wizard
• To increase adoption of Windows Server 2003
  some customers wait for SP1 before deploying

6
WS03 Customer Pains SP1

• Why?
• Patch management too complex
• Time to exploit decreasing
• Exploits are more sophisticated
• Current approach is not sufficient

• How?
• Role based approach will give flexibility to our
  customers in terms of time to test/deploy
• Proactive instead of reactive engineering i.e.
  Windows Firewall and AD policy for Windows
  Firewall rule sets
• A step in the journey to more secure
  computing platforms, applications, and devices.

7
What are the goals of SP1?

• Enhanced Security
• Reduced attack surface
• New security enhancements
• Stronger defaults and privilege reduction on
  services (RPC DCOM)
• Support for No Execute (NX) hardware (Intel
  AMD)
• Windows Firewall enabled by default for new
  installs
• Includes boot time protection
• Provide a Security Configuration Wizard to assist
  IT Admins
• Role-based configuration and lockdown
• RAS/VPN Quarantine
• Client inspection, Fix-up, Isolation
• IIS 6.0 metabase auditing
• IE security enhancements
• Enhanced Reliability
• Enhanced Performance
• 10 improvement in TPC, TPC-H, SAP, SSL, etc.

8
SP1 Features and Enhancements

• Post-Setup Security Updates (PSSU)
• Security Configuration Wizard
• Relevant XP SP2 enhancements
• RPC, DCOM lockdown
• Windows Firewall configuration
• Terminal Services Improvements
• Base 64-bit extension system x86-64 is reality

9
WS03SP1 Post-Setup Security Updates (1)

• A new feature designed to protect servers between
  first boot and application of most recent
  security updates
• Opens on first admin login if Windows Firewall
  was not explicitly enabled/disabled using
  unattend script or GPO
• Blocks inbound connections until customer clicks
  Finish on PSSU dialog box

10
WS03SP1 Post-Setup Security Updates (2)

• Offers links to Windows Update
• Creates an opportunity to configure Automatic
  Updates
• Re-opens if not completed before first restart
• Forced closure (ALTF4) makes no change to the
  firewall, system runs tests to display PSSU again
  at next log on

11
WS03SP1 Post-Setup Security Updates (3)

• Applies To
• Windows server admins who are concerned that new
  Windows Server 2003 servers may not be fully
  protected before application of updates
• Admins who perform new installs of Windows Server
  2003 with a Service Pack
• Does Not Apply When
• OS install with an unattend script enabling or
  disabling Windows Firewall
• Windows Firewall is enabled or disabled through
  GP before PSSU is displayed
• Performing OS updates to existing Windows Server
  2003 server, or upgrading existing Windows 2000
  server to Windows Server 2003 SP1

12

• Post-Setup Security Updates

13
Security Configuration Wizard

• Guided Attack Surface Reduction for Windows
  Servers
• Security Coverage
• Roles-Based Metaphor
• Disables Unnecessary Services
• Disables Unnecessary IIS Web Extensions
• Blocks unused Ports, including multi-homed
  scenarios
• Helps Secure Ports that are left open by using
  IPSEC
• Reduces protocol exposure (LDAP, NTLM, SMB)
• Configures Audit Setting with high Signal to
  Noise ratio
• Security for mere mortals
• Roles-based makes answering questions easy
• Automated versus Paper-Based Guidance
• Fully tested and supported by Microsoft

14
SCW Operational Coverage

• Supports approximately 60 server roles OOB
• Rollback, when applied policies disrupt service
  expectation
• Analysis, to check that machines are in
  compliance with policies
• Remotability for configuration and analysis
  operations
• Command Line Support for remote config and
  analysis en-masse
• Active Directory Integration for Group
  Policy-based deployment
• Editing of previously created policies, when
  machines are repurposed
• XSL Views of Knowledge base, policies and
  analysis results

15

• Security Configuration Wizard

16
RPC and DCOM EnhancementsDovetails with Windows
XP SP2

• New RPC registry keys
• Allow server applications to restrict access to
  the interface, typically through a security call
  back
• Optionally deny all remote anonymous access
• Enables application developers to more closely
  control access
• Additional DCOM access control restrictions
• Strengthening of DCOM authentication security
  model
• Overall reduction of risk of a successful network
  attack
• RPC and DCOM ports handled as a special case by
  Windows Firewall

17
Windows Firewall

• Goals and customer benefit
• Provide by default better protection from network
  attacks
• Focus on role-based server configuration
• What were doing
• Windows Firewall (formerly ICF) will be on by
  default in almost all configurations
• More configuration options
• Group policy, command line, unattended setup
• Better user interface
• Boot time protection
• Restrict anonymous connections to DCOM/RPC
  interfaces
• Application impact
• In-bound network connections will not be
  permitted by default
• Listening ports only open as long as the
  application is running

18

• Windows Firewall and AD Firewall Policy Deployment

19
Administering Windows XP SP2Recommended
Enterprise Settings (1)

• Guidelines only, review all settings prior to
  deployment!!
• Windows Firewall Protect all network connections
  
• Enabled
• Windows Firewall Do not allow exceptions
• Not configured
• Windows Firewall Define program exceptions
• Set to the names of applications and services
  used by the computers running Windows XP SP2 on
  your network for managed, server, listener, or
  peer applications. (e.g. SMS)

20
Administering Windows XP SP2Recommended
Enterprise Settings (2)

• Windows Firewall Allow local program exceptions
• Enabled
• Windows Firewall Allow remote administration
  exception
• Disabled, unless the Windows XP SP2-based
  computers are configured remotely using MMC
  snap-in or monitored remotely using WMI.
• Windows Firewall Allow file and print sharing
  exception
• Enabled only if the computers running Windows XP
  SP2 are sharing local folders and printers.

21
Administering Windows XP SP2Recommended
Enterprise Settings (3)

• Windows Firewall Allow ICMP exceptions
• Enabled only to allow diagnostic or management
  capabilities that are based on ICMP traffic.
• Windows Firewall Allow Remote Desktop exception
• Enabled only if you use Remote Desktop to connect
  to Windows XP SP2-based computers.
• Windows Firewall Allow UPnP framework exception
• Enabled only if you use UPnP devices on your
  network.
• Windows Firewall Prohibit notifications
• Disabled

22
Administering Windows XP SP2Recommended
Enterprise Settings (4)

• Windows Firewall Allow logging
• Not configured
• Windows Firewall Prohibit unicast response to
  multicast or broadcast requests
• Disabled may break Wake On LAN
• Windows Firewall Define port exceptions
• Set to the TCP and UDP ports used by the Windows
  XP SP2 computers on your network for managed,
  server, listener, or peer applications that
  cannot be specified by filename. (Add SMS and
  similar ports here)
• Windows Firewall Allow local port exceptions
• Enabled (pending corporate policy)

23
Administering Windows XP SP23rd Party firewalls
scenarios

• Disable Windows Firewall
• Disable Windows Firewall via accidental
  installation
• Unattend.txt or Netfw.inf
• Deploy registry settings to disable WF
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
  dowsFirewall\DomainProfile\EnableFirewall0
  (DWORD data type)
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
  dowsFirewall\StandardProfile\EnableFirewall0
  (DWORD data type)
• Configure GPOs accordingly

24
Terminal Services Improvements

• Fallback Printer Driver
• Addresses Client to Server Printing issues when
  driver mismatch occurs
• Heuristic that does name matching on printer
  driver strings provided from TS client
• Will do a best guess and then substitute for a
  lowest common denominator PCL or PS driver
• PCL and - "HP DeskJet 500
• Color PCL - "HP DeskJet 500C
• PS - "HP LaserJet 4/4M PS"
• Color PS - "HP Color LaserJet 5/5M PS
• Licensing Server Improvements

25

• SP1 Terminal Services

26
Windows Server 2003 x64 Editions

• Key value
• Core OS functionality performance benefits
  (64-bit)
• Runs most existing 32-bit apps with increased
  performance
• Provides evolutionary path to 64-bit applications
• Single code-base based on WS03 SP1
• AMD Opteron/Athlon 64 Intel Xeon EM64T
  supported with one product
• Basis for Windows XP Professional, x64 Edition
• Compatibility
• WS03 SP1 level compatibility
• Application kernel mode code and drivers must be
  64-bit

27
How To Get Involved

• Share your ideas with the Windows Server
  development team athttp//www.windowsserverfeedb
  ack.com
• You can also participate in
• Online surveys about product feature priorities
• Product focus groups
• TechBeta

28
Summary

• Windows Server 2003 SP1 exists to encourage
  adoption of Windows Server 2003, migration from
  NT4 and 2000
• Security-focused service pack, also includes
  performance, feature and reliability improvements
• Exciting roadmap complement to XP SP2,
  precursor to Windows Server 2003 R2 and Longhorn
• What you can do
• Review the reference material on the following
  slides
• Test the available Release Candidate 2 (RC2)
  version
• Provide your ideas on how we can make further
  improvements in this area

29
More Information

• Windows Server 2003 SP1 Release Candidate 2
  http//www.microsoft.com/windowsserver2003/downloa
  ds/servicepacks/sp1/default.mspx
• Windows XP SP2 on Microsoft TechNethttp//www.mi
  crosoft.com/technet/prodtechnol/winxppro/maintain/
  winxpsp2.mspx
• MBSA v2 Beta (use Beta GuestID MBSA20)
  http//beta.microsoft.com http//www.microsoft.c
  om/technet/security/tools/mbsahome.mspx
• Windows Update Services Betahttp//www.microsoft.
  com/windowsserversystem/wus/default.mspx
• Technet Security Centre for IT Pros
  http//www.microsoft.com/technet/security/default
  .mspx
• Microsoft IT practices http//www.microsoft.com/
  itshowcase

30
(No Transcript)
31
EvaluationPrescriptive Guidance

• Overall how satisfied where you with the
  event? 9
• Rate the session Windows 2003 SP1 9

32
Ken Schaeferken_at_adOpenStatic.com