Windows Server 2003 SP1 Technical Overview John Howard, IT Pro Evangelist, Microsoft UK
Agenda Goals and Vision Security Enhancements Roadmap and Resources
Agenda Goals and Vision Security Enhancements Roadmap and Resources
Key Customer Challenges Security Securely configuring networks in a simplified way Coping with malicious hackers, viruses and network attacks Being prepared to face future security threats Reliability Minimise network downtime Performance Desire for increased performance
Some ways security is addressed in SP1 Support for “No Execute” hardware Windows Firewall & Boot Time Security Role based configuration and lockdown IIS 6.0 metabase auditing VPN Quarantine Internet Explorer
Agenda Goals and Vision Security Enhancements Roadmap and Resources
Hardware DEP Processor support required Software DEP Functional on any process supporting Windows Server 2003 Boot.ini “/noexecute=PolicyLevel” switch OptInOptOutAlwaysOnAlwaysOff GUI configuration through System Performance settings Security Enhancements Data Execution Prevention (DEP)
Security Enhancements Post Setup Security Updates (PSSU) Protects servers between first boot and application of most recent security updates Opens on first admin login if Windows Firewall was not explicitly enabled using unattend script or Group Policy Blocks inbound connections until customer clicks “Finish” on PSSU dialog box
Offers links to Windows Update Opportunity to configure Automatic Updates Re-opens if not completed before first restart Forced closure (ALT+F4) does not change firewall Tests to display PSSU again at next log on Security Enhancements Post Setup Security Updates (PSSU)
Invoked during Slipstreamed installation Not applied when Windows Firewall is enabled or disabled through Group Policy before PSSU is displayed Upgrade existing servers Security Enhancements Post Setup Security Updates (PSSU)
Security Enhancements Windows Firewall Enhancement to Internet Connection Firewall (ICF) Not on by default Except during PSSU Can be configured during installation Boot time security Global Configuration On with no exceptions Multiple profiles Integration with netsh command line utility
Windows Firewall Demo
Security Enhancements Security Configuration Wizard (SCW) Guided Attack Surface Reduction for Servers Security Coverage Roles-Based Metaphor Disables Unnecessary Services Disables Unnecessary IIS Web Extensions Blocks unused Ports, inlcuding multi-homed scenarios Helps Secure Ports that are left open using IPSEC Reduces protocol exposure (LDAP, NTLM, SMB) Configures Audit Setting with high Signal to Noise
Security Enhancements Security Configuration Wizard (SCW) Install Add/remove Windows Components Unattended setup Configuration saved to XML file Command line support Rollback capability Analysis capability
Security Configuration Wizard Demo
Security Enhancements Internet Explorer Feature parity with XP SP2 Zone elevation Add-on management Information bar Pop-up management Window restrictions Download security
RPC and DCOM Enhancements Dovetails with Windows XP SP2 RPC attack surface reduced New RPC registry keys Allow server applications to restrict access to the interface, typically through a security call back Enables application developers to more closely control access Additional DCOM access control restrictions Strengthening of DCOM authentication security model Overall reduction of risk of a successful network attack RPC and DCOM ports handled as a special case by Windows Firewall
Security Enhancements Access Based Directory Enumeration What it does Hides directories based on access rights InterfacesGUI Command line tool markShareforABDE.exe Whitepaper on microsoft.com
Access Based Directory Enumeration Demo
Agenda Goals and Vision Security Enhancements Roadmap and Resources
MajorRelease MajorReleaseMajorReleaseReleaseUpdateReleaseUpdate ~ 4 years ~ 2 years Mainstream Service Packs & Updates Extended Support At least 5 years At least 5 years from major release Release Cycle
► Windows Server 2003 Service Pack 1 ► Windows Server 2003 x64 Editions ► Windows Server Update Services ► Windows Server “Longhorn” Beta ► Windows Server 2003 “R2” ► Windows Storage Server “R2” ► Windows Server “Longhorn” Windows Server “Longhorn R2” Release Roadmap
Resources Windows Server 2003 Home Page Windows Server 2003 SP1 Home Page Technet TechCentre
Download locations Windows Update Download centre
Deployment Guidance Documents How to deploy Windows Server 2003 SP1 in an Enterprise Infrastructure How to configure and deploy Windows Firewall functionality centrally through Windows Server 2003 SP1 and Active Directory How to deploy role-based secure Servers with Windows Server 2003 SP1 and Security Configuration Wizard How to setup VPN Quarantine of users utilizing Windows Server 2003 SP1 How to deploy VPN Quarantine in an Enterprise Infrastructure utilizing Windows Server 2003 SP1 How to setup Secure Server Templates with Security Configuration Wizard in Windows Server 2003 SP1 How to deploy Security Configuration Wizard Server Templates with Active Directory utilizing Windows Server 2003 How to deploy Security Configuration Wizard Server Templates with Active Directory utilizing Windows Server 2003
Summary SP1 provides significant security enhancements as well as reliability and performance improvements Windows Server SP1 provides tools to reduce attack surface area To maximize security/performance Windows Server, begin evaluating SP1 today Exciting roadmap – complement to XP SP2, precursor to Windows Server 2003 R2 and Longhorn
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Windows Server 2003 SP1 Technical Overview John Howard, IT Pro Evangelist, Microsoft UK