Home > Enterprise Desktop Tips > > Top five security enhancements in 2003 SP1
Enterprise Desktop Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


Top five security enhancements in 2003 SP1


Serdar Yegulalp
04.27.2005
Rating: -4.33- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


One of Microsoft's ongoing initiatives is to enhance security with each successive service pack release. Windows Server 2003 Service Pack 1 (SP1) is no exception, but you may wonder how exactly it bolsters security in the server operating system. In this tip, I'll outline the most significant security updates.

Privilege reductions in RPC and DCOM
Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) are core elements of Windows that have always been exploited. SP1 requires an application to have certain privileges or proper authentication to make RPC or DCOM calls, regardless of what security code exists within the application itself. A new registry key, RestrictRemoteClients, can be used to prohibit anonymous RPC access system-wide if security measures demand it. Existing programs run in the proper contexts should not be affected.

Data execution prevention
DEP is a technology that can be implemented in both hardware and software to prevent the execution of malicious code. (Newer processors like AMD Inc.'s Opteron support it directly.) Many exploits blindly dump or "inject" code (known as a payload) into a segment of memory where code normally wouldn't reside, then execute it. DEP thwarts such exploits by marking certain areas of memory non-executable; if an application tries to execute code in a flagged area of memory, the system throws an exception.

SP1 allows for a degree of such protection, even on a system that doesn't have hardware support for it. DEP can protect against the vast majority of code injection exploits, including those that manage to run in kernel memory through a compromised driver or service. If a kernel-level exploit is trapped in this fashion, it may mean a crash -- but a crash is always better than a compromised system.

Windows Firewall
The rechristened Internet Connection Firewall, now called Windows Firewall, is no substitute for a full firewall (such as a Cisco box or Microsoft's own ISA Server), but it provides basic levels of protection against major threats. In Windows XP Service Pack 2, it comes with a slew of enhancements not seen before, including:

  • System protection during boot process, when the network stack is initialized as the rest of the system comes up.
  • Global configuration, rather than per-interface.
  • Command set accessibility through the netsh interface.
  • Application-based exceptions, rather than port-based.
  • Selective RPC support (integrated with system-wide RPC security tightening).
  • Native IPv6 support.
  • System protection during the post-install update phase.
  • More Group Policy Object configurations.
  • Support for unattended setup scenarios.

Security Configuration Wizard
The Security Configuration Wizard lets you configure server security based on existing server roles: If you're using the server for a task that doesn't involve a particular service, the wizard stops and disables the service (and, more importantly, tells you why). It also disables other functions that can be security problems: unneeded IIS Web extensions, unused ports, unnecessary protocols and APIs for services like LDAP or SMB, and so on. It also allows for rollback (to move the server back to the state it was in prior to applying the new security role, in case something breaks), compliance auditing (to determine if the server is currently safe according to policy), and support for command line, Active Directory and Group Policy interfaces. (Note that the wizard is not installed by default, but is available for installation through Windows Components in Add/Remove Programs.)

TCP/IP hardening
To harden TCP/IP against malicious activity, SP1 makes changes, such as default-on protection against SYN flooding. (You can disable these settings through the Registry.)

One final note: If you're running Windows Small Business Server 2003 (SBS 2003), Microsoft recommends that you hold off on installing SP1 because of some minor known issues with SBS.

Serdar Yegulalp is editor of The Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More information from SearchWindowsSecurity.com

  • Book Excerpt: Designing an access control strategy for the Registry
  • Tip: XP SP2 helps control malware -- but watch out for that firewall
  • Learning Center: Troubleshoot service packs and security updates


    • Rate this Tip
    To rate tips, you must be a member of SearchEnterpriseDesktop.com.
    Register now to start rating these tips. Log in if you are already a member.




    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Endpoint security management tools
    20 days to a more secure enterprise
    How to get -- and keep -- user support with security
    MDOP for Windows 7 available now
    Microsoft's Online Desktop Manager caters to small IT shops
    Monitoring user activity with network analyzers
    Using third-party technologies with Microsoft's NAP
    Understanding Microsoft's NAP's internal and external components
    Microsoft's NAP can ensure security compliance
    Top 5 registry keys for Windows XP
    Microsoft releases WSUS 3 SP2 with Win 7, R2 support

    Patches, alerts and critical updates
    Microsoft releases six patches for November
    Structuring patch management in seven steps
    Underlying causes of inconsistent patch management
    Microsoft's Online Desktop Manager caters to small IT shops
    Microsoft's Patch Tuesday brings a bumper crop of security fixes
    Act fast with five critical September patches
    Microsoft's August patches run the gamut
    Patching third-party browsers adds more work in Windows shops
    Troubleshooting Microsoft WSUS connectivity issues
    Windows security tools for the busy desktop administrator

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    system tray  (SearchEnterpriseDesktop.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary

    DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



    Enterprise Desktop Security - Virus Protection, Malware Protection, Intrusion Detection
    HomeTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogs
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts