Microsoft fills security gaps with OS update

Von Carol Sliwa

IT managers will find several tools designed to help them protect systems from security threats in the first service pack update for Windows Server 2003, which Microsoft Corp. released on Wednesday -- nearly two years after the operating system"s debut.

Some users said they hope Service Pack 1 can reduce the need to augment Windows Server 2003 with third-party security software. New features in SP1 include a built-in firewall, Network Access Quarantine Control components to isolate out-of-date virtual private network assets, and a wizard that gathers information about the roles of servers and blocks services and ports that aren"t needed.

"That"s great, because we don"t have to integrate it all piecemeal. It comes all at once," said Jonathon Addington, a network administrator at sporting goods equipment manufacturer K-2 Corp. in Vashon, Wash.

Addington said that in some cases, K-2 has already brought in third-party products to provide some of the functionality that Microsoft is adding in SP1. But the prospect of not having to buy other products, such as firewall hardware, is enticing. "It could save a great deal of money," Addington said.

However, that won"t provide any relief for past investments needed to fill the voids in Windows Server 2003, said an infrastructure support director at an insurance company who asked not to be identified. Microsoft "came late to the security party," he said. "It"s hard to thank the car dealer for delivering the tires today when the car was bought years ago."

The Security Configuration Wizard in SP1 gives companies new capabilities to harden their systems against attack, but the insurer has already tackled that on its own. The support director there said he"s not sure that abandoning the company"s proven methods in favor of Microsoft"s tools would provide better protection.

Microsoft initially said Windows Server 2003 SP1 would ship in the second half of 2004. But when the company marshaled its resources behind Service Pack 2 for its Windows XP operating system, the schedules for other Windows releases was disrupted, according to Al Gillen, an analyst at Framingham, Mass.-based market research company IDC.

Gillen said the delay on Windows Server 2003 SP1 didn"t have a critical impact on most corporate IT shops because Microsoft has released some security enhancements along the way. Also, the initial software was more secure out of the box than the typical Windows release, he said.

Yet even companies that have regularly patched their systems should look at installing SP1, according to Samm DiStasio, director of product management in Microsoft"s Windows Server division. He said Microsoft made changes as part of SP1 to address the root causes of certain classes of attacks, and those tweaks aren"t incorporated into the existing patches.

One major concern for users deploying any operating system update is application compatibility. To that end, Microsoft has tested more than 125 applications with SP1 and plans to post a document on its Web site to show the findings, DiStasio said.

Some beta testers spotlighted by Microsoft said they have seen only minor problems, and they were quickly resolved. For instance, the IT department of the government of Fulton County, Ga., hit a "couple of bumps" last year while testing SP1 on 30 servers. But Russell Mobley, an assistant director of IT for the county, said staffers encountered no problems deploying the final release on 100 production servers running Exchange, file-and-print and directory services, and various departmental applications.