Thoughts on Windows Server 2003 SP1 RC

Microsoft announced that Windows Server 2003 Service Pack 1 Release Candidate is available for testing on non-production servers. I installed it remotely using Rdesktop on a 180 day evaluation copy of Windows Server 2003 with hotfixes installed. The whole process went smoothly, and after a reboot I was still able to connect via Rdesktop and PsExec.

Microsoft published Top 10 Reasons to Install Windows Server 2003 SP1, which I found interesting reading. The majority of the reasons sound helpful. Point one is especially revealing. Microsoft now recommends "reducing the attack surface," which is code for disabling unnecessary services via the "Security Configuration Wizard" (SCW). Microsoft says "With SCW you can disable unused services easily and quickly, block unnecessary ports, modify registry values, and configure audit settings." I heartily endorse this and many other changes.

Points nine (Help secure Internet Explorer) and ten (Avoid potentially unsafe e-mail) indicate there are still problems with the way Microsoft approaches system administration. A fundamental tenet of good system administration is to avoid browsing the Web or reading external email on production servers. In some ways this has not been a problem for UNIX administrators who do not install X on their servers. They could use Lynx and Mutt in a text environment, but on servers they tend not to casually surf the Web or read email using either tool. Even if they do, there have been orders of magnitude fewer attacks against text-based Web and email clients -- and what general attacker targets such programs?

Some (such as Macintosh devotees) believe the GUI was one of the great advancements in personal computing. I agree as far as personal computing goes, but I believe the GUI should stay on the PC and away from servers. A GUI invites trouble when it wrongly empowers administrators to use powerful and potentially exploitable Web and email clients. Suddenly a user with administrator privileges can be hit by client-side attacks. The best way to avoid such a situation is to not allow Web or email clients to run on servers, not simply improve the security of such programs. I have seen Microsoft encourage users not to do so, but I do not see Windows administrators breaking this mind-set any time soon.

The GUI is an example of a feature that is not really needed to provide services to clients. What client needs a server-side GUI to offer Web pages, carry email, or serve SQL queries? If a Windows system could be installed without a GUI, we might see less successful exploitation of Windows systems. Microsoft is taking a step in the right direction by providing tools to limit the services activate on its systems. I would like to see Windows machines install no listening services by default, except for an OpenSSH-like remote administration client. Then, using a wizard, administrators could add in the services they believe they need.

It would also be helpful for Microsoft servers to offer individual services on specific ports, and not group everything under the sun on a few well-known ports. An administrator who can look at a port listing and know the meaning of seeing port X and Y, but not Z, is an empowered administrator. Individual services on specific ports simplifies network-based access control and identification of rogue services.