Best Practice Ezine #50 W2K3 SP1

Best Practice Ezine.  Computer Performance. Advertise

Best Practice Ezine #50 Windows 2003 Server SP1

Even service packs have personalities, and the main character of Windows Server 2003 SP1 is security.  There is a similarity between SP2 for XP and SP1 for W2K3, for instance they both introduce a firewall.

Microsoft is shifting into proactive mode.  With SP1 they are removing attack points and battening down the hatches; Microsoft seem determined to make it as difficult as possible for malicious code to get a handle on the operating system.  Some say, ‘about time too’, other say ‘Microsoft is delivering on their promise to make security a priority’.

What SP1 can do for your Windows 2003 Server?

  1. Fix problems.  For example, ‘No Execute Hardware’ prevents malicious code from manipulating memory.  SP1 enforces RPC and DCOM services to authenticate.
  2. Apply all hot fixes in one go, for example numerous security enhancements to Internet Explorer.
  3. Introduce new features.  As well as a built-in Firewall, there is a Security Configuration Wizard to turn off un-needed services.
  4. SP1 refines existing features – WebDAV redirection.

Problems with service packs

The reason why service packs occasionally cripple servers, is that some machines have a combination of hardware and software that have not been validated for a particular service pack.

I estimate that 95% of all service packs which have ever been applied to any machine, worked perfectly.  On reflection I believe, that the success rate is nearer 99%.  However, if you suffer from one of the service packs that cause problems, it’s like being mugged.  While your belief is that this misfortune only befalls someone else, when it does happen to you, there is a terrible feeling of shock and betrayal.

Danny, Sean and Lee ride to my rescue
Danny kindly wrote in and said that Dell and HP servers require a BIOS upgrade before you can install SP1.  So, I was wrong when I said there should be no problem on mainstream servers.  I am amazed, and thank Danny for putting me straight.

I am also grateful to Sean for pointing out that Microsoft recommend waiting for Exchange 2003 Server SP2, before applying Windows Server 2003 SP1. Sean kindly provided this link. 

When I sent out a correction, Lee took the trouble to report his findings.  This is what he discovered: ‘Windows Hosting is its own product. It’s technically Exchange 2003, but with proprietary add-ons. The website is a little misleading. Microsoft actually does recommend that you install SP1 on a system with Exchange 2003. (I just talked to them about this.) ‘

Eureka!  Thanks to Lee, I declare, here is the definitive SP1 reference KB 896367.  I see Exchange 2003 failed the SP1 compatibility test, but only with OWA on clustering.

If I can draw any crumb of comfort from these three reports, it is that have continually advocated testing SP1 before deploying on production servers.

Guy Recommends: The Free IP Address Tracker (IPAT) IP Tracker

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

Minor Problem with extra security
If there is a problem on Windows Server 2003, then it is most likely the feature has been blocked thanks to tighter security.  The solution is easy, just find the setting and adjust it, for example, remote administration now needs to open port 445 on the firewall.

Test your particular server
The only way to discover the truth is by testing SP1 on one of your Windows 2003 Servers.  One philosophy is to always keep one service back behind.  However I don’t buy that idea.  Time alone will not magically cure a flaw; you have to test the service pack on a real machine.  If waiting means time spent researching, then fair enough, check your favourite forum or bulletin board for information on hardware / software combinations that give problems.  If you haven’t got a spare server, try a parallel installation on an existing machine.

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

SP1 Superstitions

An enduring superstition for all service packs, is that even numbers are good but odd numbers are bad.  I will leave you to make up your own mind.  Another urban myth is that applying SP1 will transform 120 evaluation copies into fully blown versions of Windows Server 2003 – wrong.

Incidentally, ‘Mad Mick’ was telling me that he tried to apply SP1 to one of his ‘clients’ servers and it would not install.  It turned out to be a pirate copy of Windows Server 2003, and you cannot apply SP 1 to such machines.  Mick started to blame Microsoft, but eventually even Mick had to concede that preventing SP1 running on pirate software, was fair enough.  This really is a case of ‘feature by design’.

A ‘killer’ reason to install SP1 (after testing)

A security guru told me what happens after Microsoft release a security fix.  He claims that hackers reverse engineer the fix and discover the underlying vulnerability.  Then these hackers design a nasty virus which attacks those who did NOT apply the service pack.  So you have to be smart and install SP1 before a new wave of viruses attack your Windows Server 2003.

How to obtain SP1 for Windows Server 2003

In general SP1 works in just the same way as previous Microsoft service packs.  Keep in mind that all you need is one SP1 file, which can be applied to all your Windows Server 2003 editions, Standard, Enterprise, Web, even the SBS edition.

Kevin kindly tells me that Microsoft is going to bring out a new edition especially for SBS.  Furthermore, Kevin says while you can apply SP1 to SBS, it’s better to wait for the specially designed service pack.

Watch out for another new twist from Microsoft; there are now multiple versions of SP1. One version designed for single server application, one version for deploying to multiple servers, and also a 64bit Itanium version.  (There are also 2 developer versions with checked code.)  Just to recap, which ever SP1 file you download, it works for all editions of Windows Server 2003.

When I downloaded the SP1 file from Microsoft, the size was about 337 MB.  To then go ahead and install SP1, your server needs a minimum of 700 MB free disk space, 2 GB recommended.

Summary SP1 for Windows Server 2003

Test SP1 on your machine now.  Microsoft’s worthy goals for this service pack are improved security and reliability.  Watch out for new Windows Server 2003 features, for example, firewall and the Secure Configuration Wizard.

See more information about Microsoft Windows service packs

Windows 8 Tips  •E 189 Windows 7 SP1  • E 157 Vista SP2  • Windows 8 Task Manager

E 135 Vista SP1  • E 129 Vista SP1  • E 130 Vista SP1  •E 50 W2K3 SP1  • E 34 XP SP3

E 23 SUS  •Free Network Device Manager  •Real-time Network Traffic Monitor  • Ezines