Windows Tip Sheet
Enter the Slipstream
Here's how to do a secure Win2003 install with Windows Firewall and SP1.
Okay, you know Win2003 SP1 is out. Maybe you’ve installed it; maybe you’re
waiting a bit. Either way, you need to get a slipstreamed copy available immediately.
Say what? A slipstreamed copy of Win2003 is basically an installation
CD (or the installation files on a network share) with SP1 already incorporated,
so that after installing the operating system you don’t have to specifically
install SP1; it’s built in.
Why? Windows Firewall. It doesn’t matter what you think of Windows Firewall
on a server; at install time it’s crucial. We know SP1 isn’t the
end of Win2003 hotfixes, and some of the post-SP1 hotfixes will patch security
vulnerabilities. So when you do a fresh install of Win2003, with SP1 slipstreamed,
the operating system engages the Windows Firewall automatically on first boot.
It’s called “shields-up” mode, and I’ve written about
it in the past. It’s designed to protect the computer until you can get
to Windows Update, a SUS server or whatever to get the latest patches installed.
Once you’re ready, you take the shields (firewall) down and start using
the server in production.
But the key is having slipstreamed installation media. First, if you’re
doing this to a network share containing a copy of the Win2003 installation
files, make sure no non-SP1 servers are relying on that network share. In other
words, you might want to think about creating a fresh share unless all of your
servers already have SP1 installed. Next, you’re going to need SP1, obviously;
specifically, the network installation version of it (link to the English version
below).
Copy all of the Win2003 installation files from a CD’s i386 folder to
a local folder, such as C:\Win2003\i386. Extract the SP1 files by running the
SP1 executable with the /x switch. Be sure to extract
these to a unique folder, like C:\Win2003SP1. Finally, go into the SP1 update
files (in, say, C:\Win2003SP1\i386\update) and run update.exe
–s:C:\Win2003. This will slipstream whatever’s in C:\Win2003\i386.
Be sure not to specify the i386 subfolder in the /s
switch, or you’ll wind up with C:\Win2003\i386\i386, which won’t
work.
You can perform installations right from there, if you want, or you can burn
a CD from those files. New installations will automatically raise shields right
after the install is complete, giving you time to bring the new system up-to-date
with the latest patches before exposing it to the wilds of your network.
More Resources
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.