Some SP1-1137 shots Options

[One of the Twelv...]

Quickly browsing the new features.. Security Config Wizard, an improved IIS Lockdown tool? You must install this separately from Add/Remove programs. "Readme" says it's in Start menu, but no, it's in Administrative Tools.



Now you know, when you see this file accessing internet, it's not a trojan but part of this new feature:



Also, whole SP1 asked me whether it's allowed to connect a domain name server while installing it... I gave the permission. This wizard does not tell me what it exactly does. Which is no good. Choices are few.. Next after this comes a server role-based security config page. After all I think this tool will be useful. At the moment it says "Beta" everywhere.



I'll continue according to my time.

[BlueScreenOfDeat...]

very nice One, i wonder if it will have the same feature's they are including in SP2 for xp

[One of the Twelv...]

very nice One, i wonder if it will have the same feature's they are including in SP2 for xp

no same features... 192mb bug fixes, and some new things. Server is pretty much different to the workstation.

New Functionality Included in SP1
Back to Top

This section describes changes to functionality included with SP1.
The Security Configuration Wizard

The Security Configuration Wizard is included with SP1 for the Windows Server 2003 family. You can use the wizard to create, edit, or apply a security policy for a computer or group of similarly configured computers.

To use the Security Configuration Wizard, you must first install SP1. You can then add the wizard by using Add or Remove Programs. You will be prompted for the Service Pack 1 CD or the location on the network where you copied the SP1 files. After the wizard is installed, it is added to the Administrative Tools menu.

To use the wizard, click Start, point to All Programs, and then click Microsoft Security Configuration Wizard. You can then use the wizard to configure your servers.

For information about using the Security Configuration Wizard, click the Help link included in the wizard interface.

Note

If you prefer, you can continue to configure security policies with the existing Security Configuration and Analysis or Security Templates snap-ins for Microsoft Management Console (MMC). The Security Configuration Wizard is not required, but we recommend that you use it if you want to create a security policy for your servers.
Using Microsoft Outlook® with Certificate Services and Windows Server 2003

This section pertains to the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Web Edition
    * Windows Server 2003, Enterprise Edition
    * Windows Server 2003, Datacenter Edition

If you use any version of Microsoft Outlook® with Certificate Services and any of the Windows products listed in this section, see article 821574,"Windows Prompts You for Your Password Multiple Times When You Use Outlook If Strong Private Key Protection Is Set to High" in the Microsoft Knowledge Base. This article contains information about private key protection.
IIS 6.0 Performance

This section pertains to the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Web Edition
    * Windows Server 2003, Enterprise Edition
    * Windows Server 2003, Datacenter Edition

For products in the preceding list, you have the option of running Secure Socket Layer (SSL) in kernel mode. User-mode SSL is the default.

"Kernel-mode" (as differentiated from "user-mode") refers to how system components or processes execute in an operating system. Components that execute in kernel-mode run in the core operating system address space.

The kernel-mode feature improves SSL performance because it moves encryption and decryption operations to the kernel. This reduces the number of transitions between kernel mode and user mode.

Kernel-mode SSL is subject to the following restrictions:

    * Client certificate implementations are not supported.
    * RC2 ciphers are not supported.
    * PCT 1.0 protocol is not supported.
    * Server certificate configuration changes require an HTTP restart.
    * Internet Server Application Programming Interface (ISAPI) GetServerVariable calls for certificate information do not work.
    * Bulk encryption offload is not supported.
    * In Internet Information Services (IIS) 5.0 isolation mode, raw ISAPI filters (read and write raw data notifications) for both secure and nonsecure connections are not supported.

Configuring kernel-mode SSL

   1. To configure SSL to run in kernel mode, set the following Windows registry key:

      HKLM\System\CurrentControlSet\Services\HTTP\Parameters\EnableKernelSSL (DWORD)
   2. Set the following values for the registry key:

      Ensure that the EnableKernelSSL key value is set to 0. This is the default.

      To use kernel-mode SSL rather than user-mode SSL, set the value of EnableKernelSSL key to 1. Enabling kernel-mode SSL disables user-mode SSL.
   3. Restart the HTTP service.

Caution

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Changes to HTTP API Error Logging

This section pertains to the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Web Edition
    * Windows Server 2003, Enterprise Edition
    * Windows Server 2003, Datacenter Edition

Error logs at the location %windir%\system32\LogFiles\HTTPERR have been improved. They now include Work Wide Web Consortium (W3C)–style headers and request-queue information. As a result, standard tools can parse the log file. You will then be able to find the origin of the error in the log file.

For more information about error logging in HTTP.SYS, see article 820729,"INFO: Error Logging in HTTP API," in the Microsoft Knowledge Base.
Microsoft FrontPage® 2002 Server Extensions

This section pertains to the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Web Edition
    * Windows Server 2003, Enterprise Edition
    * Windows Server 2003, Datacenter Edition

New search functionality, called Integrated Indexing Server Search, is included for Microsoft FrontPage® Server Extensions 2002 in Windows Server 2003 SP1. This replaces the previous search feature, called Wide Area Information Searching (WAIS), that was included with Windows 2000 and Windows XP. For information about using Integrated Indexing Server Search, see the Microsoft TechNet Web site.
HTTP.SYS Supports WOW64

This section pertains to 64-bit versions of the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Enterprise Edition
    * Windows Server 2003, Datacenter Edition

HTTP.SYS now supports 32-bit applications running on 64-bit Windows operating systems (WOW64). As a result, 32-bit applications that use HTTP.SYS can run without changes to the programs (such as recompiling or changes to the data structures) on the 64-bit products listed in this section.
Internet Connection Firewall for IPv6

This section pertains to 32-bit versions of the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Enterprise Edition

The 32-bit versions of Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition included Internet Connection Firewall for Internet Protocol version 4 (IPv4), but not for Internet Protocol version 6 (IPv6). Internet Connection Firewall for IPv6 is included with SP1 for the Windows Server 2003 family.
Performance Improvement in HTTP.SYS

This section pertains to the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Web Edition
    * Windows Server 2003, Enterprise Edition
    * Windows Server 2003, Datacenter Edition

The functions, HttpSendHttpResponse and HttpSendResponseEntityBody in http.h, expose an option called HTTP_SEND_RESPONSE_FLAG_BUFFER_DATA. This occurs through the "Flags" parameter in the function. You can use this option to improve the performance of HTTP applications in the following situations:

   1. When an HTTP.SYS application sends HTTP responses synchronously.
   2. When an HTTP.SYS application sends non-final HTTP responses asynchronously.

In the first situation, if an application must use both function calls, HttpSendHttpResponse and HttpSendResponseEntityBody, to send a one-HTTP response (that is, send HTTP headers followed by HTTP entity bodies associated with a single response), the flag should be set on both function calls.

In the second situation, if an application must use both function calls, HttpSendHttpResponse and HttpSendResponseEntityBody, to send a one-HTTP response (that is, send HTTP headers followed by HTTP entity bodies associated with a single response), the flag should be set on both function calls only if the application programming interface (API) is not used to send the final response.
SSL Authentication Added to Terminal Services

This section pertains to the following products:

    * Windows Server 2003, Standard Edition
    * Windows Server 2003, Web Edition
    * Windows Server 2003, Enterprise Edition
    * Windows Server 2003, Datacenter Edition

With SP1 for the Windows Server 2003 family, you can configure Terminal Server connections to use Secure Sockets Layer (SSL) for server authentication.

By default, SSL is not in use, but you now have the option of enabling SSL.

Important

In order for SSL authentication to take place, the following two conditions must be met:

   1. The server must have an SSL-compatible certificate with a private key. This is a certificate whose intended purpose is to perform server authentication. It has a corresponding private key.

      The certificate is located in the local computer’s personal store, which you can view in the Certificates snap-in. If you are requesting the certificate from Windows Server 2003 family Certificate Services, you must also request a certificate that uses Microsoft RSA SChannel Cryptographic Provider for its cryptographic service provider (CSP).
   2. The client must trust the root of the server’s certificate. The client computers must include in their Trusted Root Certification Authorities store the certificate of the certification authority that issued the server certificate. You can view the certificate in the Certificates snap-in.

To select a certificate for server authentication of terminal services connections

   1. Open the Terminal Services Configuration snap-in.
   2. In the console tree, click Connections.
   3. In the details pane, right-click the connection you want to modify, and then click Properties.
   4. In the Authentication section, click Edit, click a certificate, and then click View Certificate.

      Only certificates that have not expired and whose intended purpose is server authentication will appear in the Select Certificate dialog box.
   5. Verify that the certificate has a private key. To do so, ensure that You have a private key that corresponds to this certificate is displayed at the bottom of the General tab.

Important

If the certificate does not have a private key, and you enable SSL, computers will be unable to use Terminal Services to connect to your server.

   6. After you have verified that the certificate has a private key, click OK, and then in the Select Certificate Windows, click OK again.

To enable SSL for server authentication

   1. Open the Terminal Services Configuration snap-in.
   2. In the console tree, click Connections.
   3. In the details pane, right click the connection you want to modify, and then click Properties.
   4. On the General tab, in Authentication click one of the following:
          * None (default): Select this setting if you do not want to enable SSL authentication.
          * Client Compatible: Select this setting if you want the highest level of authentication that is supported by the client. To use this setting, the Encryption level must be set to Client Compatible, High, or FIPS compliant. With the Client Compatible setting, if the server does not have an SSL-compatible certificate, new connections or reconnections will be allowed only for clients whose authentication setting is No authentication.
          * SSL required: Select this setting if you want to allow only SSL connections. If you use this setting, the Encryption level must be set to High or FIPS Compliant. If you select this setting, and the server does not have SSL-compatible certificate with its private key, the connection will fail.
   5. After you have finished making your selection, click OK.

For more information about enabling SSL authentication for Windows Server 2003 family Terminal Server connections, see Terminal Server on the Microsoft TechNet Web site.
Enabling SSL on the client computer

Only computers running Windows 2000 or Windows XP can be configured to connect to servers using SSL authentication.

You can install the client-side remote desktop connection from the following directory on your server:

%windir%\system32\clients\tsclient\win32\msrdpcli.msi

The new version of Remote Desktop Connection will be installed in the following directory:

%windir%\Program files\Remote Desktop

By default, the client computer will not use SSL authentication. There are several ways to enable SSL authentication on the client computer, however. You can enable it through Remote Desktop Connection, you can create an .rdp file and distribute it to the clients, or you can force clients to a certain authentication settings through a registry key.

To enable authentication on a client computer

   1. Click Start, point to Programs or All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.
   2. Click Options.
   3. On the Security tab, under Authentication setting, click one of the following options:
          * No authentication(default): Select this option if you do not want to use SSL for authentication.
          * Attempt authentication: Select this option if you want to attempt authentication by using SSL. For expired certificates, the user is given the option of continuing the connection without SSL if the name in the certificate does not match the name of the computer, or the certificate is not from a trusted certifying authority. If any other authentication errors occur, the connection will fail.
          * Require authentication: To achieve SSL authentication, the server must have an SSL-compatible certificate with its private key, and the client must trust the root of the server’s certificate. If these conditions are not met, the connection will fail.

To enable authentication on the client using an .rdp file

   1. Click Start, point to Programs or All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection. Click Options.
   2. On the Security tab, under Authentication setting, click No authentication, Attempt authentication, or Require authentication.
   3. On the General tab, click Save As.
   4. Enter a file name for the saved connection file, and then click Save. Connections are saved as Remote Desktop protocol (.rdp) files. An .rdp file contains all of the information for a connection to a terminal server, including the Options settings that were in effect when the file was saved. You can customize any number of .rdp files, including files for connecting to the same server with different settings.
   5. Distribute the .rdp file to client computers.

Note

You can also use Notepad to edit the .rdp file. The parameter is authentication level. The value can be 0, 1, or 2, where:

0 = No authentication

1 = Require authentication

2 = Attempt Authentication

For example, the entry for no authentication is authentication level:i:0.

To enable authentication on the client through a registry key

   1. Open the Registry Editor.
   2. In Registry Editor, navigate to the one of the following registry keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client\

      Or

      HKEY_ CURRENT_USER \Software\Microsoft\Terminal Server Client\
   3. Create the following entry:

      AuthenticationLevelOverride
   4. Assign a DWORD value of 0, 1, or 2. Any other values will be ignored.

      0 = No authentication

      1 = Require authentication

      2 = Attempt Authentication

Caution

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

When the registry key is set to an authentication option, users will be unable to change the authentication option; it will be unavailable in remote desktop connections. The HKEY_CURRENT_USER settings take precedence over HKEY_LOCAL_MACHINE settings.

[cooldude7273]

^ good god

[benwalburg]

dang that sure is a lot of fixes !

[One of the Twelv...]

dang that sure is a lot of fixes !

Here is a list of fixes, those mentioned above were new features... a lot of fixes indeed!

Attached File(s)

 sysprop_1137.jpg ( 36.06K ) Number of downloads: 53