Of late I have been having fun supporting applications that were written for Windows 2000 as they are implemented on Windows Server 2003.
Windows Server 2003 is the first microsoft OS that actually takes security seriously.
By default everything is switched off and needs to be enabled. This has the minor drawback that all of the switches needed are not clearly documented plus the previously working configuration tools do not inform you that they have been disabled at a higher level.
For example you need to explicitly install IIS, COM+ and ASP.NET
On a new server 2003 you need to use Add/Remove Programs to install ASP.NET and IIS.
There is also the IIS Lockdown wizard to content with.
These new security features are great but need to be backed up with some serious, easy to find, clear documentation.
Don’t get me started on the lack of intelligable documentation for Active Directory. That has simply thousands of switches with incredibly vague names.