It is important to ensure that all the latest patches and updates are applied to any Windows Server 2003 (WS2003) installations if the server will continue to be used past the official July 14, 2015, end-of-life, which is when Microsoft ceased supporting the software.
WS2003 contains a number of features to help manage patches.
The Windows Server Update Services (WSUS) helps manage patches for several products. It has a section devoted to Windows Server 2003. It uses a repository of Windows updates to check systems for updates and packages. It can either send notifications of missing updates and patches or install them automatically. It also includes features to allow users to automatically install some classes of updates and manually install others.
Another important tool is the Microsoft Security Baseline Analyzer. It scans for missing security patches and common security misconfigurations in Windows Server systems.
Standalone updates are applied to a computer that is already running the operating system. When the update program is run it installs the necessary files and makes the appropriate registry changes. Update.exe registers the updates under the following registry keys:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesServer2003SP2KB######
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotfixKB######
How to install updates on multiple systems
To install updates on multiple systems, follow these steps:
Windows 2003 Sp2 Patch
- Connect to the network where you want to create the distribution folder.
- In the shared distribution folder, create a folder for the update files.
- Copy the Windows Server 2003 Update.exe program to the distribution folder you created in Step 2.
- To install the update from the distribution folder, run the WindowsServer2003-KB######-x86-LLL.exe program.
- Restart your computer after you finish installing all of the updates.
For more detailed information on installing updates, see Microsoft’s guide titled Installing and Deploying Updates for Microsoft Windows Server 2003.
Note: Not all patches, or fixes, that are intended to resolve one or two vulnerabilities, work flawlessly with all installations. Some patches might break parts of the system, or have other undesirable consequences, so it is important to check patches before applying them to all the servers in an installation. This is frequently done by setting up a test system, either a virtual copy of the server configuration or a separate test server, and testing the patches.
If there is a problem with a patch, it can be removed by going to the Control Panel and then selecting Add or Remove Software. Make sure “Show Updates” is checked then click on the update and click on “remove.”
As an alternative to the Microsoft supplied programs, or as a supplement, you can use a third-party patch manager like ManageEngine from Desktop Central to manage Windows and non-Windows patches.
2015 patches for Windows Server 2003
Here are some of the recently released 2015 patches for Windows Server 2003. Make sure they are all applied as soon as possible.
“GsDraw error (1): GenericError” — This fix is for when an error occurs and the application crashes when text outline is created in Windows.
MS15-057 — This vulnerability could allow remote code execution if Windows Media Player opens specially crafted s this vulnerability could take complete control of an affected system remotely. Corrupt pst file outlook 2013.
MS15-061 — This patch resolves vulnerabilities that could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights.
MS15-044 and MS15-051 — This patch prevents remote code execution if a user opens a specially crafted document or goes to an untrusted webpage that contains embedded TrueType fonts. Without this patch, a cracker could elevate privileges via local logon and run arbitrary code in kernel mode. They could then possibly install programs, alter or delete data and create new accounts.
Check out this article to learn more about how GoDaddy handled the Windows 2003 server end-of-life.
Image by: dotty finlow via Compfightcc
Using Agent Builder tool you can produce custom agents for any platform you likes, including of course the different flavors of MS Windows.
In one of my most recent experiences with this tool, I dealt with a custom agent defined to excute a simple script on windows.
The agent was built for Windows 64 bit because the target system was a Windows 2003 SP2 64bit.
Once installed and configured, the agent was never able to start.
When the service was started, it just returned message:
'The service did not respond to the start or control request in a timely fashion' in the Windows event log.
No RAS1 logs were created and nothing else was available into ITMHOME log files concerning this custom agent.
What to do in this case to understand why the service does not complete initialization ?
The quickest option is to look for the process executable name and launch it using the TEST flag.
So in case the binary name is k23agent.exe, from a command prompt, go to tmaitm6_x64:
cd c:ibmitmtmaitm6_x64
and then executes the agent binary with this syntax:
k23agent.exe TEST
The TEST keyword runs the ITM agents in debugging mode into the console.
Under normal conditions, it should stay running and write nothing.
In this specific case instead I was showed an error window.
As soon as the k23agent.exe tries to start, it immediately fails with:
'The procedure entry point CancelIoEx could not be located in the dynamic link library kernel32.dll'
And this is indeed the root cause of the problem.
The procedure CancelIoEx was not present into the KERNEL32.dll before a certain period (pre-Vista).
So basically also in the failing machine, the file KERNEL32.dll was not including the procedure CancelIoEx and so the agent could not complete initialization.
In order to fix it, theoretically you should look for a newer version of KERNEL32.dll, but considering that Windows 2003 is out of support
since some time, if you really need to run something on this platform, you have to look to a different solution.
A quick test done on a Windows 2003 SP2 32bit with a 32bit version of the agent, revealed that it was instead able to initialize and run fine.
We can consider running the 32bit version of the agent also in Windows 2003 SP2 64bit, as it is anyway supported.
It is for sure safer and quicker than upgrading the operating system just to look for a single function on a single dll file.
Best regards
Check out all our other posts and updates:
Windows Server 2003 Service Pack 1 (SP1) Administration Tools Pack and Windows Server 2003 R2 Administration Tools Pack can be installed without error on Windows Vista. However, the following error message will appear whenever attempting to load Active Directory Users and Computers, Active Directory Domains and Trusts, etc:
Windows 2003 Sp2 Iso
MMC could not create the snap-in.
The issue occurred because Windows Vista requires elevated user rights when a .dll file is registered for enhanced security, and the Administration Tools Pack is not installed by a user who has administrative user rights. Microsoft KB930056 provides a simple solution and workaround for this error:
- Open a command prompt with administrative privileges (instructions here).
- Copy and paste the following commands into the elevated command prompt, or you can save the commands into a batch file, and then execute the batch script:
regsvr32 /s adprop.dll
regsvr32 /s azroles.dll
regsvr32 /s azroleui.dll
regsvr32 /s ccfg95.dll
regsvr32 /s certadm.dll
regsvr32 /s certmmc.dll
regsvr32 /s certpdef.dll
regsvr32 /s certtmpl.dll
regsvr32 /s certxds.dll
regsvr32 /s cladmwiz.dll
regsvr32 /s clcfgsrv.dll
regsvr32 /s clnetrex.dll
regsvr32 /s cluadmex.dll
regsvr32 /s cluadmmc.dll
regsvr32 /s cmproxy.dll
regsvr32 /s cmroute.dll
regsvr32 /s cmutoa.dll
regsvr32 /s cnet16.dll
regsvr32 /s debugex.dll
regsvr32 /s dfscore.dll
regsvr32 /s dfsgui.dll
regsvr32 /s dhcpsnap.dll
regsvr32 /s dnsmgr.dll
regsvr32 /s domadmin.dll
regsvr32 /s dsadmin.dll
regsvr32 /s dsuiwiz.dll
regsvr32 /s imadmui.dll
regsvr32 /s lrwizdll.dll
regsvr32 /s mprsnap.dll
regsvr32 /s msclus.dll
regsvr32 /s mstsmhst.dll
regsvr32 /s mstsmmc.dll
regsvr32 /s nntpadm.dll
regsvr32 /s nntpapi.dll
regsvr32 /s nntpsnap.dll
regsvr32 /s ntdsbsrv.dll
regsvr32 /s ntfrsapi.dll
regsvr32 /s rasuser.dll
regsvr32 /s rigpsnap.dll
regsvr32 /s rsadmin.dll
regsvr32 /s rscommon.dll
regsvr32 /s rsconn.dll
regsvr32 /s rsengps.dll
regsvr32 /s rsjob.dll
regsvr32 /s rsservps.dll
regsvr32 /s rsshell.dll
regsvr32 /s rssubps.dll
regsvr32 /s rtrfiltr.dll
regsvr32 /s schmmgmt.dll
regsvr32 /s tapisnap.dll
regsvr32 /s tsuserex.dll
regsvr32 /s uddi.mmc.dll
regsvr32 /s vsstskex.dll
regsvr32 /s w95inf16.dll
regsvr32 /s w95inf32.dll
regsvr32 /s winsevnt.dll
regsvr32 /s winsmon.dll
regsvr32 /s winsrpc.dll
regsvr32 /s winssnap.dll
regsvr32 /s ws03res.dllThis step will register the Windows 2003 management tools DLLs properly on Windows Vista.
Windows 7 Service Pack 2 Free Download
Beside, Microsoft has also released Windows Vista Application Compatibility Update (KB932246) that improves support and compatibility of Microsoft Windows Server 2003 Service Pack 1 (SP1) Administration Tools Pack in Windows Vista.
Update: Microsoft has released Microsoft Remote Server Administrative Tools (RSAT) package for Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2, which can replace Windows Server 2003 Administration Tools Pack, and is the recommended solution. Remote Server Administrative Tools (RSAT) package is a collection of command-line admin tools and graphical user interface (GUI) admin tools for Windows Vista and Windows 7 clients to remotely manage server roles in Windows Server 2008, in Windows Server 2008 R2, and in some Windows Server 2003 target computers cases. RSAT is a replacement for AdminPack and Support Tools in the Windows 2000 operating system and in the Windows Server 2003 operating system.