The first thing users will see when logging into SP2, the newly improved Windows® XP operating system, is a new Security Center informing them of the status of critical security features, such as the firewall, antivirus updates, and automatic updates. Following is a brief look at the major improvements in XP security found within SP2.
Microsoft has renamed the previous Internet Connection Firewall to Windows Firewall. The newly named firewall is now turned on by default, with ports closed except when they are in use, an improved user interface for configuration, improved application compatibility, and enhanced administration through group policy settings which allow separate policies to be defined for firewall configuration. Inbound connections can be restricted based on their origin, and remote procedure call (RPC) vulnerability is greatly reduced through SP2’s insistence upon secure RPC connections. DCOM also has additional access control restrictions to protect against network attacks.
Some attacks exploit vulnerabilities that allow too much data to be copied into areas of the computer’s memory (buffer overflow). To mitigate this vulnerability, core Windows components have been recompiled with protection against buffer overruns. Microsoft has also teamed up with Intel and AMD to implement hardware-based protection against the buffer overflow vulnerability. Using this data execution prevention (DEP) mechanism in the processor, the CPU marks all memory locations in an application as non-executable unless they contain executable code. Thus, when a virus or worm inserts malicious code into an application, the application won’t run it.
Email Handling and Web Browsing:
MIME types are handled more safely by renaming files to match their true types before placing them in the cache. SP2 also tightens up access to cached objects by blocking access when navigating away from the page that loaded the object. Finally, SP2 has added a pop-up blocker within the Privacy tab of IE’s Internet Options. Users are notified when pop-ups are encountered, and they can choose to view the pop-ups they want to see. Restrictions are also placed on the size, format, and placement of pop-ups, preventing borderless windows which might cover other pages.
With SP2 Microsoft has added some new features to help manage the configuration and updating of systems. A new Manage Add-ons feature assists in managing Active X controls and other IE extensions. This feature lists add-ons that have been loaded, their status, source, and the validity of their digital signatures. Add-ons can be disabled, and a history of usage is available.
A new mechanism has been added for handling and analyzing add-on crashes. Downloading files is now more secure too. Users are warned not only when they download files, but also when they open downloaded files after they have been saved locally. Files extracted from downloaded zipped files also generate the same warning. Finally, SP2 differentiates between Java virtual machines (JVMs) in general and the Microsoft JVM, allowing users to disable the Microsoft JVM without disabling others.
A final release version of SP2 was made available August 9thand is nearly 270MB. Microsoft is making it available on the Internet via a broadband connection. The new Windows Update 5.0 includes a “Checkpoint Restart” feature, allowing resumption of a download when the Internet connection is interrupted.
SP2 can be downloaded in the background and will take about 40% of the available bandwidth. For those who have turned on the auto-update feature of Windows, SP2 will download without the user’s knowledge, and Windows Update will not duplicate any download that the automatic update has already installed. For those without broadband connections, Microsoft is offering a free CD via the mail.
SP2 can be installed using a few different methods. If the computer is already running Windows XP Home Edition or Windows XP Professional, the standalone version of SP2 can be installed separately as an update. For those wanting to upgrade the operating system as well as install SP2, the operating system and service pack can be installed simultaneously.
SP2 is surely good news for organizations and the systems administrators who support them. However, there are some issues to be aware of. Most notable among the potential problems are those caused by the new default firewall. Because the firewall restricts access to ports, some applications may be restricted in ways which will require firewall configuration.
Laptop users pose special problems for operating system firewalls, as they require different configurations based upon whether users are behind or outside of the corporate firewall. In such cases separate profiles will need to be used-the Domain Profile for those behind the corporate firewall, and the Mobile Profile for those beyond the domain controller. The Network Location Awareness tool will determine which to use at any given time. Organizations wanting to adopt SP2 without going through the sometimes frustrating task of configuration can turn off the firewall through a group security policy.
Despite the potential complications, however, SP2 is good news for security-minded IT professionals. Be sure to plan for its deployment in your enterprise soon.