Windows Server 2003 – SP1 Service Pack 1

Windows Server 2003 – SP1 (Service Pack one)

Service packs have personalities, and the main character of Windows Server 2003 SP1 is security.  There is a similarity between this SP1 for W2K3 and SP2 for XP, for instance they both enhance have a new firewall.

Microsoft are shifting into proactive mode.  With SP1 they are removing attack points and battening down the hatches; Microsoft seem determined to make it as difficult as possible for malicious code to get a handle on the operating system.  Some say, ‘about time too’, other say ‘Microsoft are delivering on their promise to make security a priority’.

Topics for Windows Server 2003 – SP1


What SP1 can do for your Windows 2003 Server?

  1. Fix problems.  For example, ‘No Execute Hardware’ prevents malicious code from manipulating memory.  SP1 enforces RPC and DCOM services to authenticate.
  2. Apply all hot fixes in one go, for example numerous security enhancements to Internet Explorer.
  3. Introduce new features.  As well as a built-in Firewall, there is a Security Configuration Wizard to turn off un-needed services.  It is possible that Microsoft will trial features that will emerge in Longhorn in W2K3 Service packs.
  4. SP1 refines existing features for example, WebDAV redirection.

New Features in SP1

One characteristic of Microsoft’s service packs is that they introduce new features.  If you were in the developer’s shoes, I guess you would want try out components that were going to be released in the next generation, Longhorn.

Data Execution Protection (DEP)

I have to say that Microsoft are at their best when they have a vision.  Data Execution Protection (DEP) may have an unfamiliar acronym but it has a worth goal; to prevent malicious code from disturbing the operating system.  People laughed at PnP (Plug and Pray, Plug and Prey?) but now we take for granted the idea of installing software without user intervention.  One day DEP will be accepted as the norm.

Security Configuration Wizard (SCW)

Here is another concept that Microsoft has been gently pushing, namely that you should identify a role for a server, such as, DC, Application or Web, then tune the server to its particular role.  Perhaps de-tuning would be a better word, as the idea is to turn off services that are not required.  In fact, Microsoft lead the way by turning off IIS by default.  SCW takes the concept a stage further by providing an interface where you can control security and services all in one place.  Think of SCW as a halfway house between Security Configuration Manger and MOM (Microsoft Operations Manager).

SCW is an optional component of SP1, and as well as a GUI,  SCW has a command line version scwcmd.exe.  You may have noticed the march of XML to format output, as expected the SCW configurations are controlled by XML files.

Solarwinds Patch ManagerGuy Recommends You Try SolarWinds Patch Manager (SPM)

With SPM you can push out patches, which companies such as Mozilla Firefox or Adobe Acrobat provide.  The point is that because WSUS does not do this for non-Microsoft software updates, you need a good add-on to take care of this task.  With the Patch Manager you can even create your own packages to apply to your servers or clients.

Download your free trial of SolarWinds Patch Manager

Problems with service packs

The reason why service packs occasionally cripple servers, is that some machines have a combination of hardware and software that have not been validated for a particular service pack.

I estimate that 95% of all service packs which have ever been applied to any machine, worked perfectly.  However, if you suffer from one of the service packs that cause problems, it’s like being mugged.  While your belief is that this misfortune only befalls someone else, when it does happen to you, there is a terrible feeling of shock and betrayal.

Problem with Dell and HP Bios

Dell and HP servers require a BIOS upgrade before you can install SP1.  So, I was wrong when I thought that there should be no problem on mainstream servers.  Perhaps you see what I mean about each service pack having its own personality.

Problem with Exchange 2003

Does your Windows Server 2003 run Exchange 2003?  If so, Windows Hosting recommend waiting for Exchange 2003 Server SP2, before applying Windows Server 2003 SP1.  As far as Microsoft themselves are concerned, there is but one issue with SP1 and Exchange 2003, namely that OWA won’t work properly on a clustered Exchange 2003 server.

Acknowledgements.  I thank Danny, Sean, Lee and Kevin for supplying extra information on SP1 problems.

Problem with Server 2003 SP1 and restoring a complete back up.

We had one of our DC’s go down after a failed raid rebuild.  Fortunately, we had full back up of the C: D: and system state.  So we formatted the raid and reinstalled the new Windows 2003 machine as a standalone server but with the same name as it was before.

On reboot after the restore I got a ‘cannot load DDL from kernel’.  It appears that there is a Issue with SP1 and a rebuild from a restore back up.  When you rebuild the server with the new OS you must put SP1 back on before restoring your data, apparently some of the files needed from the SP1 are not present when doing a full back up (not sure which ones).  However, I can tell you that it worked fine after rebuilt, and got SP1 installed.

Acknowledgement to Daz

Guy Recommends: The Mobile IT Administration AppSolarwinds Mobile IT Administration App•

How cool is correcting a minor problem on a server with a couple of taps on your smartphone?  Thanks to the Solarwinds Mobile IT Admin App, you can carryout routine tasks with a flick of your fingers on a phone screen.

  • Operate your iPhone to unlock an Active Directory account.
  • Use your iPad to check Windows Updates on your server.
  • Try Solarwinds Mobile IT Administration App now.

Download your fully functional 30 day trial of this Mobile IT App

Problem with SUS

Another report for Daz.  Apparently SP1 has tightened up on service permissions, the problem went away after giving read access rights for "Network Service" group on WUSyncSvc.exe and folder tree SUS\vroot\autoupdate\administration.

Minor Problem with extra security

If there is a problem on Windows Server 2003, then it is most likely the feature has been blocked thanks to tighter security.  The solution is easy, just find the setting and adjust it, for example, remote administration now needs to open port 445 on the firewall.

Here is the definitive SP1 reference KB 896367

Other Microsoft applications that failed the compatibility test
Application Center 2000 Service Pack 2
Internet Security and Acceleration Server 2004 Standard Edition
Microsoft Baseline Security Analyzer (MBSA) 1.2.1
Systems Management Server 2003

Third-party applications
Citrix Metaframe XPe FR3 and
Computer Associates Brightstor ARCserver Backup 11.0,
HP Insight Manager 4.0 and Compaq Insight Manager,
Kerio Server Firewall 1.0,
NetIQ AppManager 5.0.1 and 6.0
NetIQ Group Policy Administrator 2.0,
Trend Micro ServerProtect.

Test your particular server

The only way to discover the truth is by testing SP1 on one of your Windows 2003 Servers.  One philosophy is to always keep one service back behind.  However I don’t buy that idea.  Time alone will not magically cure a flaw; you have to test the service pack on a real machine.  If waiting means time spent researching, then fair enough, check your favourite forum or bulletin board for information on hardware / software combinations that give problems.  If you haven’t got a spare server, try a parallel installation on an existing machine.

See a SolarWinds Patch Manager »

Service Pack Superstitions

An enduring superstition for all service packs, is that even numbers are good but odd numbers are bad.  I will leave you to make up your own mind.  Another urban myth is that applying SP1 will transform 120 evaluation copies into fully blown versions of Windows Server 2003 – wrong.

Incidentally, ‘Mad Mick’ was telling me that he tried to apply SP1 to one of his ‘clients’ servers and it would not install.  It turned out to be a pirate copy of Windows Server 2003, and you cannot apply SP 1 to such machines.  Mick started to blame Microsoft, but eventually even Mick had to concede that preventing SP1 running on pirate software, was fair enough.  This really is a case of ‘feature by design’.  See a review of Windows 7 SP1

A ‘killer’ reason to install SP1 (after testing)

A security guru told me what happens after Microsoft release a security fix.  He claims that hackers reverse engineer the fix and discover the underlying vulnerability.  Then these hackers design a nasty virus which attacks those who did NOT apply the service pack.  So you have to be smart and install SP1 before a new wave of viruses attack your Windows Server 2003.

Some good news, once again SP 1 will ‘slipstream’ like Windows 2000.  This means that you will NOT have to keep re-applying the service pack as you did with NT 4.0.  How this slipstreaming works is that all the new file versions are stored in the %systemroot%\system32\dllcache folder.  This reminds me, to remind you, to make sure that the %systemroot% partition is plenty big enough to take all these extra files.

How to obtain SP1 for Windows Server 2003

In general SP1 works in just the same way as previous Microsoft service packs.  Keep in mind that all you need is one SP1 file, which can be applied to all your Windows Server 2003 editions, Standard, Enterprise, Web, even the SBS edition.  Talking of the SBS version, Microsoft released a special SP1 for SBS about a month after the regular version of SP1.

Kevin kindly tells me that Microsoft are going to bring out a new edition especially for SBS.  Furthermore, Kevin says while you can apply SP1 to SBS, it’s better to wait for the specially designed service pack.

Watch out for another new twist from Microsoft; there are now multiple versions of SP1. One version designed for single server application, one version for deploying to multiple servers, and also a 64bit Itanium version.  (There are also 2 developer versions with checked code.)  Just to recap, which ever SP1 file you download, it works for all editions of Windows Server 2003.

When I downloaded the SP1 file from Microsoft, the size was about 337 MB.  To then go ahead and install SP1, your server needs a minimum of 700 MB free disk space, 2 GB recommended.

Summary SP1 for Windows Server 2003

Test SP1 on your machine now.  Microsoft’s worthy goals for this service pack are improved security and reliability.  Watch out for new Windows Server 2003 features, for example, firewall and the Secure Configuration Wizard.  N.B. from the spring of 2007, it would be better to get Windows Server 2003 SP2

If you like this page then please share it with your friends


Related Windows Server 2003 Topics:

Windows Command Line Tools   • Windows Server 2003 Tips   • Windows Server 2003 Services

Unhide Settings   • Exchange System Manager   • WSUS Server 2003