Windows Tip Sheet

Enter the Slipstream

Here's how to do a secure Win2003 install with Windows Firewall and SP1.

Okay, you know Win2003 SP1 is out. Maybe you’ve installed it; maybe you’re waiting a bit. Either way, you need to get a slipstreamed copy available immediately.

Say what? A slipstreamed copy of Win2003 is basically an installation CD (or the installation files on a network share) with SP1 already incorporated, so that after installing the operating system you don’t have to specifically install SP1; it’s built in.

Why? Windows Firewall. It doesn’t matter what you think of Windows Firewall on a server; at install time it’s crucial. We know SP1 isn’t the end of Win2003 hotfixes, and some of the post-SP1 hotfixes will patch security vulnerabilities. So when you do a fresh install of Win2003, with SP1 slipstreamed, the operating system engages the Windows Firewall automatically on first boot. It’s called “shields-up” mode, and I’ve written about it in the past. It’s designed to protect the computer until you can get to Windows Update, a SUS server or whatever to get the latest patches installed. Once you’re ready, you take the shields (firewall) down and start using the server in production.

But the key is having slipstreamed installation media. First, if you’re doing this to a network share containing a copy of the Win2003 installation files, make sure no non-SP1 servers are relying on that network share. In other words, you might want to think about creating a fresh share unless all of your servers already have SP1 installed. Next, you’re going to need SP1, obviously; specifically, the network installation version of it (link to the English version below).

Copy all of the Win2003 installation files from a CD’s i386 folder to a local folder, such as C:\Win2003\i386. Extract the SP1 files by running the SP1 executable with the /x switch. Be sure to extract these to a unique folder, like C:\Win2003SP1. Finally, go into the SP1 update files (in, say, C:\Win2003SP1\i386\update) and run update.exe –s:C:\Win2003. This will slipstream whatever’s in C:\Win2003\i386. Be sure not to specify the i386 subfolder in the /s switch, or you’ll wind up with C:\Win2003\i386\i386, which won’t work.

You can perform installations right from there, if you want, or you can burn a CD from those files. New installations will automatically raise shields right after the install is complete, giving you time to bring the new system up-to-date with the latest patches before exposing it to the wilds of your network.

More Resources

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.