In Windows 2003, Microsoft has eliminated this part of the attack surface by locking down IIS. Although Windows 2003 comes with IIS, IIS isn't part of the default installation. If you don't need to run IIS on your servers, you don't need to do anything different with Windows 2003—you can just enjoy the extra disk space and memory you'll have in IIS's absence.
If you need a dedicated Web server, you can install IIS as an option. (You can also use Windows Server 2003, Web Edition, which installs and enables IIS by default.) After you install IIS, you'll find that its functions are initially restricted to foil exploit attempts. Under Windows 2003, the IIS Lockdown Wizard, which Microsoft released for Internet Information Services (IIS) 6.0, is applied. The wizard's default configurations aggressively limit connection timeouts and other configurable settings—a dramatic change from earlier IIS releases. In addition, IIS 6.0 can serve only static Web pages by default. You must reconfigure IIS if you want to support dynamic content. During an upgrade from Win2K to Windows 2003, Windows 2003 disables all aspects of IIS.
7. More Services Turned Off by Default
Many services that were enabled by default in Win2K are disabled by default in Windows 2003. Appendix A in the Microsoft article "Windows Server 2003 Security" (http://www.microsoft.com/windowsserver2003/techinfo/overview/secinnovation.mspx) includes a list of those Windows 2003 services that are turned off by default. This list includes such services as Alerter, Human Interface Device Access, Kerberos Key Distribution Center (KDC), and Telnet. These services are also disabled when you upgrade Win2K to Windows 2003. Many of these services are infrequently used but nonetheless constitute a security vulnerability if left enabled because some of these services (e.g., Telnet) are quite powerful. So, you need to determine your current server needs and enable only the necessary services.
8. Restrictions to NTLM Communications
Many Win2K system exploitations in the past 3 years have taken advantage of seemingly innocuous aspects of the OS. Although Microsoft designers once included extra features and functions that supported outmoded operations, they're now taking a hard look at everything that they add. For example, in an effort to maximize backward compatibility with NT and other early OSs, Microsoft designed Win2K to respond to any NT LAN Manager (NTLM)style NetBIOS communication. However, Windows 2003 ignores NTLM service requests that haven't been issued by an authenticated source. This change will likely have little effect on applications or operations, but you might want to test any of your server applications that use NetBIOS procedure calls.
9. Signed SMB Packets Required for DC Communications
Unlike Win2K, Windows 2003 requires signed Server Message Block (SMB) packets for domain controller (DC) communications. Authentication and other core networking functions use SMB packets extensively. All packets must be signed unless a client dates back to Windows 3.1 or Windows for Workgroups (WFW). Although this new requirement closes an exploitable vulnerability, it likely won't affect your servers' or applications' functionality.
10. Remote Execution Restricted to Administrators
You can use two services to remotely run commands and programs on systems: Rexec and Rcmd. In Win2K, anyone who had authority to log on to a system and ACL permission to execute a file could use these commands. In Windows 2003, only those people with accounts that have local administrative privileges can use these commands. Before you try to use Rexec or Rcmd in a Windows 2003 system, you should verify that your account (or the account with which you launch a script that includes these commands) has the necessary administrative privileges.
Default Protection
Windows 2003 offers many optional features and functions that you can use to secure your system, such as authentication, forest trust relationships, audit collection, and strong file encryption. However, until you get the chance to deploy those features and functions, the 10 changes I've described can protect your system. Windows 2003's new defaults offer at least some protection to those administrators who never configure anything beyond the default settings.